Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4833441ybi; Mon, 3 Jun 2019 18:44:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqzxyqXjFlhG5BOjVgatLAot65Oq17BCGhdQ/O6cIFFQBG/AGve9UHyG1KHCEqnQdsie2VP8 X-Received: by 2002:a62:97:: with SMTP id 145mr28487896pfa.246.1559612675201; Mon, 03 Jun 2019 18:44:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559612675; cv=none; d=google.com; s=arc-20160816; b=s7ycMUI6eOye66rFol39sgoqnZC9OHevd7Ins8aP7WQjLleBMCbnhX7Vf6mgVEom3t sZOPT6s5PO4wyKUuvqtKVs7YHbEBaIfCzWWnyEmxz9gSbeJeaZd/HJ41du/kdFtRGdmN Ryv5hkXERwJB35uNSuOq9so3dxSeKSjF2wwoJj8cpTBjmZ8M3/cxbwK7a13DiY74ouWM CHNID19sZO+iJwP4YEnPNUiuG3Tv13ZRT1PN8CczpF3HNfcH7IiozjBUO8KS3/9jB7nL Yb7E3ge0qUCe2cMzcd/hH0GEHtjG+aMXRSIHwQzGHkVhzpgCRI00Z/Ut+ws5T9JOiaaN GKvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=UhYcCxgEtL0AtQ/eoB2A8hUZouQaYG46tp9fVW9VG8Y=; b=NH1Bp7sVCXDMKl55M+WbFXFlqEoN0XR4l5SPEs/JzquOhd3WIHxV6buZwgQjAnzcvw CLDSuQ2PFwFi73zoLpYvn/U4lYrWQkRwLaP2ej3Dw8xaE3/1GXYq3cLboRtRy1f82rgL OaimBmySlLxTgXPYiKbodGSB/jRaHW2xxd8tNLyhUQTvJowVHLEy60WQVMHhT9aCf6hu JQ2JJpSYOs+yLM2ilqqnBR8POTusQsv2c5VzESJbUhYVZulFPdPpRGCOVoqvnQMN8/mN ekhhFgKGSEyAFFBvlfKOgax0LIkGeespEU6ScIyuBPLcuTjFP3VDKXcqGlgPH3MyUNu0 Kbmw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q184si22684160pfc.199.2019.06.03.18.44.16; Mon, 03 Jun 2019 18:44:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726174AbfFDBnE (ORCPT + 99 others); Mon, 3 Jun 2019 21:43:04 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:46140 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726033AbfFDBnD (ORCPT ); Mon, 3 Jun 2019 21:43:03 -0400 Received: by mail-qt1-f193.google.com with SMTP id z19so11870654qtz.13 for ; Mon, 03 Jun 2019 18:43:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=UhYcCxgEtL0AtQ/eoB2A8hUZouQaYG46tp9fVW9VG8Y=; b=haBbHErAu8Y8OgRzB3bV4Ns6aBgJJ1GqOtzPA/XjdXE6lwaiIihe+HBYLAtegzpf5a 5dES7k3JJEbUWrkO5uMVBGCA8PKTM3AOwPAn/OAEj6lHzc7yN/RWDuPOu+iqIUYhZKH3 UNz6iN99z9NMW5m8yBLXVs4PQrNkuaPsQ7QcHP8UPvwFCG4yHPaIA/rWFJnIwNVaniY4 AzbGFg6YW7cWPiKxc6C//Vo+KLvCOcjGJOEJyOsRPQxaXlA/DALee+faMBu0nsmJUSyU mVwRZCo5IiDq7Am2H260LOUZmD1J29Q0ubrBcOM2Ik0lgXXwUVgPwS7MZX3yeJ9d7pcu BejA== X-Gm-Message-State: APjAAAWgf618gvj0zVY7+wVaLMB9BWiBmo/ynUPE6g8CVPSNKLxq/LjD CH1FxXdHEDNBbQruEAdRXf6C7w== X-Received: by 2002:ac8:2c7d:: with SMTP id e58mr25943949qta.243.1559612582509; Mon, 03 Jun 2019 18:43:02 -0700 (PDT) Received: from redhat.com (pool-100-0-197-103.bstnma.fios.verizon.net. [100.0.197.103]) by smtp.gmail.com with ESMTPSA id q187sm236373qkd.19.2019.06.03.18.42.59 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 03 Jun 2019 18:43:01 -0700 (PDT) Date: Mon, 3 Jun 2019 21:42:58 -0400 From: "Michael S. Tsirkin" To: Thiago Jung Bauermann Cc: virtualization@lists.linux-foundation.org, linuxppc-dev@lists.ozlabs.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jason Wang , Christoph Hellwig , David Gibson , Alexey Kardashevskiy , Paul Mackerras , Benjamin Herrenschmidt , Ram Pai , Jean-Philippe Brucker , Michael Roth , Mike Anderson Subject: Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted Message-ID: <20190603211528-mutt-send-email-mst@kernel.org> References: <20190129134750-mutt-send-email-mst@kernel.org> <877eefxvyb.fsf@morokweng.localdomain> <20190204144048-mutt-send-email-mst@kernel.org> <87ef71seve.fsf@morokweng.localdomain> <20190320171027-mutt-send-email-mst@kernel.org> <87tvfvbwpb.fsf@morokweng.localdomain> <20190323165456-mutt-send-email-mst@kernel.org> <87a7go71hz.fsf@morokweng.localdomain> <20190520090939-mutt-send-email-mst@kernel.org> <877ea26tk8.fsf@morokweng.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877ea26tk8.fsf@morokweng.localdomain> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 03, 2019 at 10:13:59PM -0300, Thiago Jung Bauermann wrote: > > > Michael S. Tsirkin writes: > > > On Wed, Apr 17, 2019 at 06:42:00PM -0300, Thiago Jung Bauermann wrote: > >> I rephrased it in terms of address translation. What do you think of > >> this version? The flag name is slightly different too: > >> > >> > >> VIRTIO_F_ACCESS_PLATFORM_NO_TRANSLATION This feature has the same > >> meaning as VIRTIO_F_ACCESS_PLATFORM both when set and when not set, > >> with the exception that address translation is guaranteed to be > >> unnecessary when accessing memory addresses supplied to the device > >> by the driver. Which is to say, the device will always use physical > >> addresses matching addresses used by the driver (typically meaning > >> physical addresses used by the CPU) and not translated further. This > >> flag should be set by the guest if offered, but to allow for > >> backward-compatibility device implementations allow for it to be > >> left unset by the guest. It is an error to set both this flag and > >> VIRTIO_F_ACCESS_PLATFORM. > > > > > > OK so VIRTIO_F_ACCESS_PLATFORM is designed to allow unpriveledged > > drivers. This is why devices fail when it's not negotiated. > > Just to clarify, what do you mean by unprivileged drivers? Is it drivers > implemented in guest userspace such as with VFIO? Or unprivileged in > some other sense such as needing to use bounce buffers for some reason? I had drivers in guest userspace in mind. > > This confuses me. > > If driver is unpriveledged then what happens with this flag? > > It can supply any address it wants. Will that corrupt kernel > > memory? > > Not needing address translation doesn't necessarily mean that there's no > IOMMU. On powerpc we don't use VIRTIO_F_ACCESS_PLATFORM but there's > always an IOMMU present. And we also support VFIO drivers. The VFIO API > for pseries (sPAPR section in Documentation/vfio.txt) has extra ioctls > to program the IOMMU. > > For our use case, we don't need address translation because we set up an > identity mapping in the IOMMU so that the device can use guest physical > addresses. And can it access any guest physical address? > If the guest kernel is concerned that an unprivileged driver could > jeopardize its integrity it should not negotiate this feature flag. Unfortunately flag negotiation is done through config space and so can be overwritten by the driver. > Perhaps there should be a note about this in the flag definition? This > concern is platform-dependant though. I don't believe it's an issue in > pseries. Again ACCESS_PLATFORM has a pretty open definition. It does actually say it's all up to the platform. Specifically how will VIRTIO_F_ACCESS_PLATFORM_NO_TRANSLATION be implemented portably? virtio has no portable way to know whether DMA API bypasses translation. > -- > Thiago Jung Bauermann > IBM Linux Technology Center