Pierre Morel
2020-Jun-17 10:43 UTC
[PATCH v3 0/1] s390: virtio: let arch choose to accept devices without IOMMU feature
An architecture protecting the guest memory against unauthorized host access may want to enforce VIRTIO I/O device protection through the use of VIRTIO_F_IOMMU_PLATFORM. Let's give a chance to the architecture to accept or not devices without VIRTIO_F_IOMMU_PLATFORM. Pierre Morel (1): s390: virtio: let arch accept devices without IOMMU feature arch/s390/mm/init.c | 6 ++++++ drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ include/linux/virtio.h | 2 ++ 3 files changed, 30 insertions(+) -- 2.25.1 Changelog to v3: - add warning (Connie, Christian) - add comment (Connie) - change hook name (Halil, Connie) to v2: - put the test in virtio_finalize_features() (Connie) - put the test inside VIRTIO core (Jason) - pass a virtio device as parameter (Halil)
Pierre Morel
2020-Jun-17 10:43 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
An architecture protecting the guest memory against unauthorized host access may want to enforce VIRTIO I/O device protection through the use of VIRTIO_F_IOMMU_PLATFORM. Let's give a chance to the architecture to accept or not devices without VIRTIO_F_IOMMU_PLATFORM. Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> Acked-by: Jason Wang <jasowang at redhat.com> Acked-by: Christian Borntraeger <borntraeger at de.ibm.com> --- arch/s390/mm/init.c | 6 ++++++ drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ include/linux/virtio.h | 2 ++ 3 files changed, 30 insertions(+) diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c index 6dc7c3b60ef6..215070c03226 100644 --- a/arch/s390/mm/init.c +++ b/arch/s390/mm/init.c @@ -45,6 +45,7 @@ #include <asm/kasan.h> #include <asm/dma-mapping.h> #include <asm/uv.h> +#include <linux/virtio.h> pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); @@ -161,6 +162,11 @@ bool force_dma_unencrypted(struct device *dev) return is_prot_virt_guest(); } +int arch_needs_virtio_iommu_platform(struct virtio_device *dev) +{ + return is_prot_virt_guest(); +} + /* protected virtualization */ static void pv_init(void) { diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c index a977e32a88f2..aa8e01104f86 100644 --- a/drivers/virtio/virtio.c +++ b/drivers/virtio/virtio.c @@ -167,6 +167,21 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) } EXPORT_SYMBOL_GPL(virtio_add_status); +/* + * arch_needs_virtio_iommu_platform - provide arch specific hook when finalizing + * features for VIRTIO device dev + * @dev: the VIRTIO device being added + * + * Permits the platform to provide architecture specific functionality when + * devices features are finalized. This is the default implementation. + * Architecture implementations can override this. + */ + +int __weak arch_needs_virtio_iommu_platform(struct virtio_device *dev) +{ + return 0; +} + int virtio_finalize_features(struct virtio_device *dev) { int ret = dev->config->finalize_features(dev); @@ -179,6 +194,13 @@ int virtio_finalize_features(struct virtio_device *dev) if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) return 0; + if (arch_needs_virtio_iommu_platform(dev) && + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { + dev_warn(&dev->dev, + "virtio: device must provide VIRTIO_F_IOMMU_PLATFORM\n"); + return -ENODEV; + } + virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK); status = dev->config->get_status(dev); if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) { diff --git a/include/linux/virtio.h b/include/linux/virtio.h index a493eac08393..e8526ae3463e 100644 --- a/include/linux/virtio.h +++ b/include/linux/virtio.h @@ -195,4 +195,6 @@ void unregister_virtio_driver(struct virtio_driver *drv); #define module_virtio_driver(__virtio_driver) \ module_driver(__virtio_driver, register_virtio_driver, \ unregister_virtio_driver) + +int arch_needs_virtio_iommu_platform(struct virtio_device *dev); #endif /* _LINUX_VIRTIO_H */ -- 2.25.1
Heiko Carstens
2020-Jun-17 11:22 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Wed, Jun 17, 2020 at 12:43:57PM +0200, Pierre Morel wrote:> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM. > > Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Acked-by: Christian Borntraeger <borntraeger at de.ibm.com> > --- > arch/s390/mm/init.c | 6 ++++++ > drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ > include/linux/virtio.h | 2 ++ > 3 files changed, 30 insertions(+) > > diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c > index 6dc7c3b60ef6..215070c03226 100644 > --- a/arch/s390/mm/init.c > +++ b/arch/s390/mm/init.c > @@ -45,6 +45,7 @@ > #include <asm/kasan.h> > #include <asm/dma-mapping.h> > #include <asm/uv.h> > +#include <linux/virtio.h> > > pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); > > @@ -161,6 +162,11 @@ bool force_dma_unencrypted(struct device *dev) > return is_prot_virt_guest(); > } > > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return is_prot_virt_guest(); > +} > + > /* protected virtualization */ > static void pv_init(void)Can we please stop dumping random code to arch/s390/mm/init.c? All the protected virtualization functions should go into a separate file (e.g. mem_encrypt.c like on x86), some of which could also be in header files. Please consider this a comment for the future.. just go ahead with this patch as-is.
Tom Lendacky
2020-Jun-17 13:36 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
On 6/17/20 5:43 AM, Pierre Morel wrote:> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM. > > Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Acked-by: Christian Borntraeger <borntraeger at de.ibm.com> > --- > arch/s390/mm/init.c | 6 ++++++ > drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ > include/linux/virtio.h | 2 ++ > 3 files changed, 30 insertions(+) > > diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c > index 6dc7c3b60ef6..215070c03226 100644 > --- a/arch/s390/mm/init.c > +++ b/arch/s390/mm/init.c > @@ -45,6 +45,7 @@ > #include <asm/kasan.h> > #include <asm/dma-mapping.h> > #include <asm/uv.h> > +#include <linux/virtio.h> > > pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); > > @@ -161,6 +162,11 @@ bool force_dma_unencrypted(struct device *dev) > return is_prot_virt_guest(); > } > > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return is_prot_virt_guest(); > +} > + > /* protected virtualization */ > static void pv_init(void) > { > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index a977e32a88f2..aa8e01104f86 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -167,6 +167,21 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) > } > EXPORT_SYMBOL_GPL(virtio_add_status); > > +/* > + * arch_needs_virtio_iommu_platform - provide arch specific hook when finalizing > + * features for VIRTIO device dev > + * @dev: the VIRTIO device being added > + * > + * Permits the platform to provide architecture specific functionality when > + * devices features are finalized. This is the default implementation. > + * Architecture implementations can override this. > + */ > + > +int __weak arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return 0; > +} > + > int virtio_finalize_features(struct virtio_device *dev) > { > int ret = dev->config->finalize_features(dev); > @@ -179,6 +194,13 @@ int virtio_finalize_features(struct virtio_device *dev) > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > return 0; > > + if (arch_needs_virtio_iommu_platform(dev) && > + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) {Just a style nit, but the "!virtio..." should be directly under the "arch_...", not tabbed out. Thanks, Tom> + dev_warn(&dev->dev, > + "virtio: device must provide VIRTIO_F_IOMMU_PLATFORM\n"); > + return -ENODEV; > + } > + > virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK); > status = dev->config->get_status(dev); > if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) { > diff --git a/include/linux/virtio.h b/include/linux/virtio.h > index a493eac08393..e8526ae3463e 100644 > --- a/include/linux/virtio.h > +++ b/include/linux/virtio.h > @@ -195,4 +195,6 @@ void unregister_virtio_driver(struct virtio_driver *drv); > #define module_virtio_driver(__virtio_driver) \ > module_driver(__virtio_driver, register_virtio_driver, \ > unregister_virtio_driver) > + > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev); > #endif /* _LINUX_VIRTIO_H */ >
Halil Pasic
2020-Jun-17 22:29 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Wed, 17 Jun 2020 12:43:57 +0200 Pierre Morel <pmorel at linux.ibm.com> wrote:> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM. >[..] I'm still not really satisfied with your commit message, furthermore I did some thinking about the abstraction you introduce here. I will give a short analysis of that, but first things first. Your patch does the job of preventing calamity, and the details can be changed any time, thus: Acked-by: Halil Pasic <pasic at linux.ibm.com> Regarding the interaction of architecture specific code with virtio core, I believe we could have made the interface more generic. One option is to introduce virtio_arch_finalize_features(), a hook that could reject any feature that is inappropriate. Another option would be to find a common name for is_prot_virt_guest() (arch/s390) sev_active() (arch/x86) and is_secure_guest() (arch/powerpc) and use that instead of arch_needs_virtio_iommu_platform() and where-ever appropriate. Currently we seem to want this info in driver code only for virtio, but if the virtio driver has a legitimate need to know, other drivers may as well have a legitimate need to know. For example if we wanted to protect ourselves in ccw device drivers from somebody setting up a vfio-ccw device and attach it to the prot-virt guest (AFAICT we only lack guest enablement for this) such a function could be useful. But since this can be rewritten any time, let's go with the option people already agree with, instead of more discussion. Just another question. Do we want this backported? Do we need cc stable? [..]> int virtio_finalize_features(struct virtio_device *dev) > { > int ret = dev->config->finalize_features(dev); > @@ -179,6 +194,13 @@ int virtio_finalize_features(struct virtio_device *dev) > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > return 0; > > + if (arch_needs_virtio_iommu_platform(dev) && > + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { > + dev_warn(&dev->dev, > + "virtio: device must provide VIRTIO_F_IOMMU_PLATFORM\n");I'm not sure, divulging the current Linux name of this feature bit is a good idea, but if everybody else is fine with this, I don't care that much. An alternative would be: "virtio: device falsely claims to have full access to the memory, aborting the device" Regards, Halil
Michael S. Tsirkin
2020-Jun-29 15:57 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Wed, Jun 17, 2020 at 12:43:57PM +0200, Pierre Morel wrote:> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM. > > Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Acked-by: Christian Borntraeger <borntraeger at de.ibm.com> > --- > arch/s390/mm/init.c | 6 ++++++ > drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ > include/linux/virtio.h | 2 ++ > 3 files changed, 30 insertions(+) > > diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c > index 6dc7c3b60ef6..215070c03226 100644 > --- a/arch/s390/mm/init.c > +++ b/arch/s390/mm/init.c > @@ -45,6 +45,7 @@ > #include <asm/kasan.h> > #include <asm/dma-mapping.h> > #include <asm/uv.h> > +#include <linux/virtio.h> > > pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); > > @@ -161,6 +162,11 @@ bool force_dma_unencrypted(struct device *dev) > return is_prot_virt_guest(); > } > > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return is_prot_virt_guest(); > +} > + > /* protected virtualization */ > static void pv_init(void) > { > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index a977e32a88f2..aa8e01104f86 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -167,6 +167,21 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) > } > EXPORT_SYMBOL_GPL(virtio_add_status); > > +/* > + * arch_needs_virtio_iommu_platform - provide arch specific hook when finalizing > + * features for VIRTIO device dev > + * @dev: the VIRTIO device being added > + * > + * Permits the platform to provide architecture specific functionality when > + * devices features are finalized. This is the default implementation. > + * Architecture implementations can override this. > + */ > + > +int __weak arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return 0; > +} > + > int virtio_finalize_features(struct virtio_device *dev) > { > int ret = dev->config->finalize_features(dev); > @@ -179,6 +194,13 @@ int virtio_finalize_features(struct virtio_device *dev) > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > return 0; > > + if (arch_needs_virtio_iommu_platform(dev) && > + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { > + dev_warn(&dev->dev, > + "virtio: device must provide VIRTIO_F_IOMMU_PLATFORM\n"); > + return -ENODEV; > + } > + > virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK); > status = dev->config->get_status(dev); > if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) {Well don't you need to check it *before* VIRTIO_F_VERSION_1, not after?> diff --git a/include/linux/virtio.h b/include/linux/virtio.h > index a493eac08393..e8526ae3463e 100644 > --- a/include/linux/virtio.h > +++ b/include/linux/virtio.h > @@ -195,4 +195,6 @@ void unregister_virtio_driver(struct virtio_driver *drv); > #define module_virtio_driver(__virtio_driver) \ > module_driver(__virtio_driver, register_virtio_driver, \ > unregister_virtio_driver) > + > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev); > #endif /* _LINUX_VIRTIO_H */ > -- > 2.25.1
Michael S. Tsirkin
2020-Jun-29 16:09 UTC
[PATCH v3 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Wed, Jun 17, 2020 at 12:43:57PM +0200, Pierre Morel wrote:> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM.I agree it's a bit misleading. Protection is enforced by memory encryption, you can't trust the hypervisor to report the bit correctly so using that as a securoty measure would be pointless. The real gain here is that broken configs are easier to debug. Here's an attempt at a better description: On some architectures, guest knows that VIRTIO_F_IOMMU_PLATFORM is required for virtio to function: e.g. this is the case on s390 protected virt guests, since otherwise guest passes encrypted guest memory to devices, which the device can't read. Without VIRTIO_F_IOMMU_PLATFORM the result is that affected memory (or even a whole page containing it is corrupted). Detect and fail probe instead - that is easier to debug. however, now that we have described what it is (hypervisor misconfiguration) I ask a question: can we be sure this will never ever work? E.g. what if some future hypervisor gains ability to access the protected guest memory in some abstractly secure manner? We are blocking this here, and it's hard to predict the future, and a broken hypervisor can always find ways to crash the guest ... IMHO it would be safer to just print a warning. What do you think?> > Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Acked-by: Christian Borntraeger <borntraeger at de.ibm.com> > --- > arch/s390/mm/init.c | 6 ++++++ > drivers/virtio/virtio.c | 22 ++++++++++++++++++++++ > include/linux/virtio.h | 2 ++ > 3 files changed, 30 insertions(+) > > diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c > index 6dc7c3b60ef6..215070c03226 100644 > --- a/arch/s390/mm/init.c > +++ b/arch/s390/mm/init.c > @@ -45,6 +45,7 @@ > #include <asm/kasan.h> > #include <asm/dma-mapping.h> > #include <asm/uv.h> > +#include <linux/virtio.h> > > pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); > > @@ -161,6 +162,11 @@ bool force_dma_unencrypted(struct device *dev) > return is_prot_virt_guest(); > } > > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return is_prot_virt_guest(); > +} > + > /* protected virtualization */ > static void pv_init(void) > { > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index a977e32a88f2..aa8e01104f86 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -167,6 +167,21 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) > } > EXPORT_SYMBOL_GPL(virtio_add_status); > > +/* > + * arch_needs_virtio_iommu_platform - provide arch specific hook when finalizing > + * features for VIRTIO device dev > + * @dev: the VIRTIO device being added > + * > + * Permits the platform to provide architecture specific functionality when > + * devices features are finalized. This is the default implementation. > + * Architecture implementations can override this. > + */ > + > +int __weak arch_needs_virtio_iommu_platform(struct virtio_device *dev) > +{ > + return 0; > +} > + > int virtio_finalize_features(struct virtio_device *dev) > { > int ret = dev->config->finalize_features(dev); > @@ -179,6 +194,13 @@ int virtio_finalize_features(struct virtio_device *dev) > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > return 0; > > + if (arch_needs_virtio_iommu_platform(dev) && > + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) { > + dev_warn(&dev->dev, > + "virtio: device must provide VIRTIO_F_IOMMU_PLATFORM\n"); > + return -ENODEV; > + } > + > virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK); > status = dev->config->get_status(dev); > if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) { > diff --git a/include/linux/virtio.h b/include/linux/virtio.h > index a493eac08393..e8526ae3463e 100644 > --- a/include/linux/virtio.h > +++ b/include/linux/virtio.h > @@ -195,4 +195,6 @@ void unregister_virtio_driver(struct virtio_driver *drv); > #define module_virtio_driver(__virtio_driver) \ > module_driver(__virtio_driver, register_virtio_driver, \ > unregister_virtio_driver) > + > +int arch_needs_virtio_iommu_platform(struct virtio_device *dev); > #endif /* _LINUX_VIRTIO_H */ > -- > 2.25.1