Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted

From: Michael S. Tsirkin
Date: Fri Sep 06 2019 - 01:08:23 EST

Next message: Julia Lawall: "Re: [PATCH -next] coccinelle: platform_get_irq: Fix parse error"
Previous message: Vinod Koul: "[PATCH] clk: qcom: gcc-qcs404: Use floor ops for sdcc clks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 12, 2019 at 02:15:32PM +0200, Christoph Hellwig wrote:
> On Sun, Aug 11, 2019 at 04:55:27AM -0400, Michael S. Tsirkin wrote:
> > On Sun, Aug 11, 2019 at 07:56:07AM +0200, Christoph Hellwig wrote:
> > > So we need a flag on the virtio device, exposed by the
> > > hypervisor (or hardware for hw virtio devices) that says: hey, I'm real,
> > > don't take a shortcut.
> >
> > The point here is that it's actually still not real. So we would still
> > use a physical address. However Linux decides that it wants extra
> > security by moving all data through the bounce buffer. The distinction
> > made is that one can actually give device a physical address of the
> > bounce buffer.
>
> Sure. The problem is just that you keep piling hacks on top of hacks.
> We need the per-device flag anyway to properly support hardware virtio
> device in all circumstances. Instead of coming up with another ad-hoc
> hack to force DMA uses implement that one proper bit and reuse it here.

The flag that you mention literally means "I am a real device" so for
example, you can use VFIO with it. And this device isn't a real one,
and you can't use VFIO with it, even though it's part of a power
system which always has an IOMMU.

Or here's another way to put it: we have a broken device that can only
access physical addresses, not DMA addresses. But to enable SEV Linux
requires DMA API. So we can still make it work if DMA address happens
to be a physical address (not necessarily of the same page).

This is where dma_addr_is_a_phys_addr() is coming from: it tells us this
weird configuration can still work. What are we going to do for SEV if
dma_addr_is_a_phys_addr does not apply? Fail probe I guess.

So the proposal is really to make things safe and to this end,
to add this in probe:

if (sev_active() &&
!dma_addr_is_a_phys_addr(dev) &&
!virtio_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM))
return -EINVAL;

the point being to prevent loading driver where it would
corrupt guest memory. Put this way, any objections to adding
dma_addr_is_a_phys_addr to the DMA API?

--
MST

Next message: Julia Lawall: "Re: [PATCH -next] coccinelle: platform_get_irq: Fix parse error"
Previous message: Vinod Koul: "[PATCH] clk: qcom: gcc-qcs404: Use floor ops for sdcc clks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]