Re: [PATCH 5/5] virtio: Add bounce DMA ops
From: Lu Baolu
Date: Wed Apr 29 2020 - 01:42:24 EST
On 2020/4/29 12:57, Michael S. Tsirkin wrote:
On Wed, Apr 29, 2020 at 10:22:32AM +0800, Lu Baolu wrote:
On 2020/4/29 4:41, Michael S. Tsirkin wrote:
On Tue, Apr 28, 2020 at 11:19:52PM +0530, Srivatsa Vaddagiri wrote:
* Michael S. Tsirkin<mst@xxxxxxxxxx> [2020-04-28 12:17:57]:
Okay, but how is all this virtio specific? For example, why not allow
separate swiotlbs for any type of device?
For example, this might make sense if a given device is from a
different, less trusted vendor.
Is swiotlb commonly used for multiple devices that may be on different trust
boundaries (and not behind a hardware iommu)?
Even a hardware iommu does not imply a 100% security from malicious
hardware. First lots of people use iommu=pt for performance reasons.
Second even without pt, unmaps are often batched, and sub-page buffers
might be used for DMA, so we are not 100% protected at all times.
For untrusted devices, IOMMU is forced on even iommu=pt is used;
I think you are talking about untrusted *drivers* like with VFIO.
No. I am talking about untrusted devices like thunderbolt peripherals.
We always trust drivers hosted in kernel and the DMA APIs are designed
for them, right?
Please refer to this series.
https://lkml.org/lkml/2019/9/6/39
Best regards,
baolu
On the other hand, I am talking about things like thunderbolt
peripherals being less trusted than on-board ones.
Or possibly even using swiotlb for specific use-cases where
speed is less of an issue.
E.g. my wifi is pretty slow anyway, and that card is exposed to
malicious actors all the time, put just that behind swiotlb
for security, and leave my graphics card with pt since
I'm trusting it with secrets anyway.
and
iotlb flush is in strict mode (no batched flushes); ATS is also not
allowed. Swiotlb is used to protect sub-page buffers since IOMMU can
only apply page granularity protection. Swiotlb is now used for devices
from different trust zone.
Best regards,
baolu