Re: [PATCH V1 3/6] xen/virtio: Add option to restrict memory access under Xen

[Juergen Gross]

On 24.04.22 18:53, Oleksandr wrote:
> On 23.04.22 19:40, Christoph Hellwig wrote:
>
>
> Hello Christoph
>
> > Please split this into one patch that creates grant-dma-ops, and another
> > that sets up the virtio restricted access helpers.
>
>
> Sounds reasonable, will do:
>
> 1. grant-dma-ops.c with config XEN_GRANT_DMA_OPS
>
> 2. arch_has_restricted_virtio_memory_access() with config XEN_VIRTIO
>
>
> > > +
> > > +#ifdef CONFIG_ARCH_HAS_RESTRICTED_VIRTIO_MEMORY_ACCESS
> > > +int arch_has_restricted_virtio_memory_access(void)
> > > +{
> > > +    return (xen_has_restricted_virtio_memory_access() ||
> > > +            cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT));
> > > +}
> > So instead of hardcoding Xen here, this seems like a candidate for
> > another cc_platform_has flag.
>
>
> I have a limited knowledge of x86 and Xen on x86.
>
> Would the Xen specific bits fit into Confidential Computing Platform checks? I 
> will let Juergen/Boris comment on this.

I don't think cc_platform_has would be correct here. Xen certainly
provides more isolation between guests and dom0, but "Confidential
Computing" is basically orthogonal to that feature.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature