Re: Using Restricted DMA for virtio-pci

From: Michael S. Tsirkin
Date: Fri Mar 21 2025 - 14:32:59 EST

Next message: Yury Norov: "Re: distro support for CONFIG_KUNIT: [PATCH 0/3] bitmap: convert self-test to KUnit"
Previous message: Atish Patra: "Re: [RESEND PATCH 0/7] perf vendor events riscv: Update SiFive CPU PMU events"
In reply to: David Woodhouse: "Using Restricted DMA for virtio-pci"
Next in thread: David Woodhouse: "Re: Using Restricted DMA for virtio-pci"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 21, 2025 at 03:38:10PM +0000, David Woodhouse wrote:
> On Tue, 2021-02-09 at 14:21 +0800, Claire Chang wrote:
> > This series implements mitigations for lack of DMA access control on
> > systems without an IOMMU, which could result in the DMA accessing the
> > system memory at unexpected times and/or unexpected addresses, possibly
> > leading to data leakage or corruption.
>
> Replying to an ancient (2021) thread which has already been merged...
>
> I'd like to be able to use this facility for virtio devices.
>
> Virtio already has a complicated relationship with the DMA API, because
> there were a bunch of early VMM bugs where the virtio devices where
> magically exempted from IOMMU protection, but the VMM lied to the guest
> and claimed they weren't.
>
> With the advent of confidential computing, and the VMM (or whatever's
> emulating the virtio device) not being *allowed* to arbitrarily access
> all of the guest's memory, the DMA API becomes necessary again.
>
> Either a virtual IOMMU needs to determine which guest memory the VMM
> may access, or the DMA API is wrappers around operations which
> share/unshare (or unencrypt/encrypt) the memory in question.
>
> All of which is complicated and slow, if we're looking at a minimal
> privileged hypervisor stub like pKVM which enforces the lack of guest
> memory access from VMM.
>
> I'm thinking of defining a new type of virtio-pci device which cannot
> do DMA to arbitrary system memory. Instead it has an additional memory
> BAR which is used as a SWIOTLB for bounce buffering.
>
> The driver for it would look much like the existing virtio-pci device
> except that it would register the restricted-dma region first (and thus
> the swiotlb dma_ops), and then just go through the rest of the setup
> like any other virtio device.
>
> That seems like it ought to be fairly simple, and seems like a
> reasonable way to allow an untrusted VMM to provide virtio devices with
> restricted DMA access.
>
> While I start actually doing the typing... does anyone want to start
> yelling at me now? Christoph? mst? :)

I don't mind as such (though I don't understand completely), but since
this is changing the device anyway, I am a bit confused why you can't
just set the VIRTIO_F_ACCESS_PLATFORM feature bit? This forces DMA API
which will DTRT for you, will it not?

--
MST

Next message: Yury Norov: "Re: distro support for CONFIG_KUNIT: [PATCH 0/3] bitmap: convert self-test to KUnit"
Previous message: Atish Patra: "Re: [RESEND PATCH 0/7] perf vendor events riscv: Update SiFive CPU PMU events"
In reply to: David Woodhouse: "Using Restricted DMA for virtio-pci"
Next in thread: David Woodhouse: "Re: Using Restricted DMA for virtio-pci"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]