Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU

From: Halil Pasic
Date: Wed Jun 10 2020 - 13:24:47 EST

Next message: Dan Carpenter: "[PATCH 2/2] rsxx: Return -EFAULT if copy_to_user() fails"
Previous message: Dan Carpenter: "[PATCH 1/2] rsxx: Fix potential NULL dereference setting up debugfs"
In reply to: Pierre Morel: "Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU"
Next in thread: Jason Wang: "Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 10 Jun 2020 15:11:51 +0200
Pierre Morel <pmorel@xxxxxxxxxxxxx> wrote:

> Protected Virtualisation protects the memory of the guest and
> do not allow a the host to access all of its memory.
>
> Let's refuse a VIRTIO device which does not use IOMMU
> protected access.
>

Should we ever get a virtio-ccw device implemented in hardware, we could
in theory have a trusted device, i.e. one that is not affected by the
memory protection.

IMHO this restriction applies to paravitualized devices, that is devices
realized by the hypervisor. In that sense this is not about ccw, but
could in the future affect PCI as well. Thus the transport code may not
be the best place to fence this, but frankly looking at how the QEMU
discussion is going (the one where I try to prevent this condition) I
would be glad to have something like this as a safety net.

I would however like the commit message to reflect what is written above.

Do we need backports (and cc-stable) for this? Connie what do you think?

> Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxx>
> ---
> drivers/s390/virtio/virtio_ccw.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c
> index 5730572b52cd..06ffbc96587a 100644
> --- a/drivers/s390/virtio/virtio_ccw.c
> +++ b/drivers/s390/virtio/virtio_ccw.c
> @@ -986,6 +986,11 @@ static void virtio_ccw_set_status(struct virtio_device *vdev, u8 status)
> if (!ccw)
> return;
>
> + /* Protected Virtualisation guest needs IOMMU */
> + if (is_prot_virt_guest() &&
> + !__virtio_test_bit(vdev, VIRTIO_F_IOMMU_PLATFORM))

If you were to add && !__virtio_test_bit(vdev, VIRTIO_F_ORDER_PLATFORM)
we could confine this check and the bail out to paravirtualized devices,
because a device realized in HW is expected to give us both
F_ACCESS_PLATFORM and F_ORDER_PLATFORM. I would not bet it will
ever matter for virtio-ccw though.

Connie, do you have an opinion on this?

Regards,
Halil

> + status &= ~VIRTIO_CONFIG_S_FEATURES_OK;
> +
> /* Write the status to the host. */
> vcdev->dma_area->status = status;
> ccw->cmd_code = CCW_CMD_WRITE_STATUS;

Next message: Dan Carpenter: "[PATCH 2/2] rsxx: Return -EFAULT if copy_to_user() fails"
Previous message: Dan Carpenter: "[PATCH 1/2] rsxx: Fix potential NULL dereference setting up debugfs"
In reply to: Pierre Morel: "Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU"
Next in thread: Jason Wang: "Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]