Re: [PATCH v4 4/6] vfio/type1: check dma map request is within a valid iova range

From: Robin Murphy
Date: Fri Mar 02 2018 - 12:16:45 EST


On 02/03/18 16:04, Alex Williamson wrote:
[...]
I still think you're overstretching the IOMMU reserved region interface
by trying to report possible ACS conflicts. Are we going to update the
reserved list on device hotplug? Are we going to update the list when
MMIO is enabled or disabled for each device? What if the BARs are
reprogrammed or bridge apertures changed? IMO, the IOMMU reserved list
should account for specific IOVA exclusions that apply to transactions
that actually reach the IOMMU, not aliasing that might occur in the
downstream topology. Additionally, the IOMMU group composition must be
such that these sorts of aliasing issues can only occur within an IOMMU
group. If a transaction can be affected by the MMIO programming of
another group, then the groups are drawn incorrectly for the isolation
capabilities of the hardware. Thanks,

Agree that this is not a perfect thing to do covering all scenarios. As Robin
pointed out, the current code is playing safe by reserving the full windows.

My suggestion will be to limit this reservation to non-ACS cases only. This will
make sure that ACS ARM hardware is not broken by this series and nos-ACS
ones has a chance to run once Qemu is updated to take care of the reserved
regions (at least in some user scenarios).

If you all are fine with this, I can include the ACS check I mentioned earlier in
iommu_dma_get_resv_regions() and sent out the revised series.

Please let me know your thoughts.

IMO, the IOMMU should be concerned with ACS as far as isolation is
concerned and reporting reserved ranges that are imposed at the IOMMU
and leave any aliasing or routing issues in the downstream topology to
other layers, or perhaps to the user. Unfortunately, enforcing the
iova list in vfio is gated by some movement here since we can't break
existing users. Thanks,

FWIW, given the discussion we've had here I wouldn't object to pushing the PCI window reservation back into the DMA-specific path, such that it doesn't get exposed via the general IOMMU API interface. We *do* want to do it there where we are in total control of our own address space and it just avoids a whole class of problems (even with ACS I'm not sure the root complex can be guaranteed to send a "bad" IOVA out to the SMMU instead of just terminating it for looking like a peer-to-peer attempt).

I do agree that it's not scalable for the IOMMU layer to attempt to detect and describe upstream PCI limitations to userspace by itself - they are "reserved regions" rather than "may or may not work regions" after all. If there is a genuine integration issue between an IOMMU and an upstream PCI RC which restricts usable addresses on a given system, that probably needs to be explicitly communicated from firmware to the IOMMU driver anyway, at which point that driver can report the relevant region(s) directly from its own callback.

I suppose there's an in-between option of keeping generic window reservations but giving them a new "only reserve this if you're being super-cautious or don't know better" region type which we hide from userspace and ignore in VFIO, but maybe that leaves the lines a but too blurred still.

Robin.