Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp1000496pxy; Wed, 5 May 2021 20:45:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJ0MJFsJavC/SZp/dnDextLF5UidbvMapC7iVQvJBnYKQ8fPn/zDnqNEBgV/rOiB5XSy9D X-Received: by 2002:aa7:83d0:0:b029:241:8fa3:3c6f with SMTP id j16-20020aa783d00000b02902418fa33c6fmr2252875pfn.73.1620272717303; Wed, 05 May 2021 20:45:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620272717; cv=none; d=google.com; s=arc-20160816; b=Doe4Svo7543q0IkUJxKMpDxpm8Ri36U4+J+MPOO8a3yl/jnULwRJ+dMTS72Rp5B5Qc gOHMCK3h8ELasHq3xREVzj7MzieuIZ8x7TW018LyU6ZYgqm7YNxK5eZ07AmUSAS4GFAm pVhhpackhYYQu56nRJUjnKYpQ0m/5EMV8ZP/LqyIZQDuf9ic4NVHkroSZIKAQvbCVK1r ocFHAZuM5BdH6ylIUwrKXB7Ne6KZgWJdVjdP0rHF6HK5cmqDhGcTBL/0VmbGDOBh2Cx7 JTuob4uWD8U3ygXUN6P46HE/RtKjCr73cEuJ1IxgSK9bNRVC1UQU8NeKRbyIvDexXPgC QcMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=gbydVeY5N5w2QHP37+lnpEX2xyTMiLn/vdBHF5b1sNc=; b=T207ILDcSu0f8KFYpkvbnl6haFbR4qu+lVaesNqsWyWWmcNkOhvP+kD+u2PycRFmJK +G4mLTXANEquwGkoxylOqgpVNMxqSItdSKJ7gxe5w938qHRYqd5Fg6szHu5u/ad4D1Nb /vH+HFzRgZ0ibxe7inRnKjPPrwwVIqxTB+G0XhwSgkH6guNIQzx1x19JmItIPlqrofDa BuCr/kq6RUxkT4YuzgLEjzxazdc3F7lMb59ic8hLMP8EYMSgCRXWxS58Ax2wXRTs94FU AvuZi1Fanb+V5pPT46lzb+T0lYGyMhbzYCk3dQFe5M/4JEVk6HPBTUyY6Ua1AcpOD0Uo 8nGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hl8skKT7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f7si1809378pgk.522.2021.05.05.20.45.04; Wed, 05 May 2021 20:45:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hl8skKT7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231580AbhEFDVq (ORCPT + 99 others); Wed, 5 May 2021 23:21:46 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:47981 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231232AbhEFDVp (ORCPT ); Wed, 5 May 2021 23:21:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620271247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gbydVeY5N5w2QHP37+lnpEX2xyTMiLn/vdBHF5b1sNc=; b=hl8skKT7xboezdjAlPQ1QX0Yxu5ELNjBEBhpfj4EnGVjvdeOhAtWGthBtw+G04muIYqWXO F76+sLDHs7DBxFwBL+z3vDiFRO/J90OIu+W2IYK1xoTKYiH4p/ukVsmWDRQQfSRpFP/WJd JAsMsR4wQKMtcct/i9MRbMmYmgcL/Rc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-261-MouFwKIkOKSXWHLTMzNwpg-1; Wed, 05 May 2021 23:20:44 -0400 X-MC-Unique: MouFwKIkOKSXWHLTMzNwpg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 648C38015F4; Thu, 6 May 2021 03:20:42 +0000 (UTC) Received: from wangxiaodeMacBook-Air.local (ovpn-13-159.pek2.redhat.com [10.72.13.159]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2096D19C46; Thu, 6 May 2021 03:20:31 +0000 (UTC) Subject: Re: [RFC PATCH V2 0/7] Do not read from descripto ring To: mst@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, xieyongji@bytedance.com, stefanha@redhat.com, file@sect.tu-berlin.de, ashish.kalra@amd.com, konrad.wilk@oracle.com, kvm@vger.kernel.org, hch@infradead.org References: <20210423080942.2997-1-jasowang@redhat.com> From: Jason Wang Message-ID: <0e9d70b7-6c8a-4ff5-1fa9-3c4f04885bb8@redhat.com> Date: Thu, 6 May 2021 11:20:30 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: <20210423080942.2997-1-jasowang@redhat.com> Content-Type: text/plain; charset=gbk; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2021/4/23 ????4:09, Jason Wang ะด??: > Hi: > > Sometimes, the driver doesn't trust the device. This is usually > happens for the encrtpyed VM or VDUSE[1]. In both cases, technology > like swiotlb is used to prevent the poking/mangling of memory from the > device. But this is not sufficient since current virtio driver may > trust what is stored in the descriptor table (coherent mapping) for > performing the DMA operations like unmap and bounce so the device may > choose to utilize the behaviour of swiotlb to perform attacks[2]. > > To protect from a malicous device, this series store and use the > descriptor metadata in an auxiliay structure which can not be accessed > via swiotlb instead of the ones in the descriptor table. This means > the descriptor table is write-only from the view of the driver. > > Actually, we've almost achieved that through packed virtqueue and we > just need to fix a corner case of handling mapping errors. For split > virtqueue we just follow what's done in the packed. > > Note that we don't duplicate descriptor medata for indirect > descriptors since it uses stream mapping which is read only so it's > safe if the metadata of non-indirect descriptors are correct. > > For split virtqueue, the change increase the footprint due the the > auxiliary metadata but it's almost neglectlable in the simple test > like pktgen or netpef. > > Slightly tested with packed on/off, iommu on/of, swiotlb force/off in > the guest. > > Please review. > > Changes from V1: > - Always use auxiliary metadata for split virtqueue > - Don't read from descripto when detaching indirect descriptor Hi Michael: Our QE see no regression on the perf test for 10G but some regressions (5%-10%) on 40G card. I think this is expected since we increase the footprint, are you OK with this and we can try to optimize on top or you have other ideas? Thanks > > [1] > https://lore.kernel.org/netdev/fab615ce-5e13-a3b3-3715-a4203b4ab010@redhat.com/T/ > [2] > https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@redhat.com/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b > > Jason Wang (7): > virtio-ring: maintain next in extra state for packed virtqueue > virtio_ring: rename vring_desc_extra_packed > virtio-ring: factor out desc_extra allocation > virtio_ring: secure handling of mapping errors > virtio_ring: introduce virtqueue_desc_add_split() > virtio: use err label in __vring_new_virtqueue() > virtio-ring: store DMA metadata in desc_extra for split virtqueue > > drivers/virtio/virtio_ring.c | 201 +++++++++++++++++++++++++---------- > 1 file changed, 144 insertions(+), 57 deletions(-) >