Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU

[Pierre Morel]

On 2020-06-12 15:45, Mauricio Tavares wrote:
> On Wed, Jun 10, 2020 at 12:32 PM Pierre Morel <pmorel@xxxxxxxxxxxxx> wrote:
> > Protected Virtualisation protects the memory of the guest and
> > do not allow a the host to access all of its memory.
> >
> > Let's refuse a VIRTIO device which does not use IOMMU
> > protected access.
>        Stupid questions:

not stupid at all. :)

> 1. Do all CPU families we care about (which are?) support IOMMU? Ex:
> would it recognize an ARM thingie with SMMU? [1]

In Message-ID: <6356ba7f-afab-75e1-05ff-4a22b88c610e@xxxxxxxxxxxxx>
(as answer to Jason) I modified the patch and propose to take care of 
this problem by using force_dma_unencrypted() inside virtio core instead 
of a S390 specific test.

If we use force_dma_unencrypted(dev) to check if we must refuse a device 
without the VIRTIO_F_IOMMU_PLATFORM feature, we are safe:
only architectures defining CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED will 
have to define force_dma_unencrypted(dev), and they can choose what to 
do by checking the architecture functionalities and/or the device.

> 2. Would it make sense to have some kind of
> yes-I-know-the-consequences-but-I-need-to-have-a-virtio-device-without-iommu-in-this-guest
> flag?

Yes, two ways:

Never refuse a device without VIRTIO_F_IOMMU_PLATFORM, by not defining 
CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED or by always return 0 in 
force_dma_unencrypted()

have force_dma_unencrypted() selectively answer by checking the device 
and/or architecture state.

>
...snip...
> >
>
> [1] https://developer.arm.com/architectures/system-architectures/system-components/system-mmu-support

Regards,
Pierre


--
Pierre Morel
IBM Lab Boeblingen