Re: [PATCH] s390: protvirt: virtio: Refuse device without IOMMU
From: Jason Wang
Date: Sun Jun 14 2020 - 23:02:11 EST
On 2020/6/12 äå7:38, Pierre Morel wrote:
On 2020-06-12 11:21, Pierre Morel wrote:
On 2020-06-11 05:10, Jason Wang wrote:
On 2020/6/10 äå9:11, Pierre Morel wrote:
Protected Virtualisation protects the memory of the guest and
do not allow a the host to access all of its memory.
Let's refuse a VIRTIO device which does not use IOMMU
protected access.
Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxx>
---
 drivers/s390/virtio/virtio_ccw.c | 5 +++++
 1 file changed, 5 insertions(+)
diff --git a/drivers/s390/virtio/virtio_ccw.c
b/drivers/s390/virtio/virtio_ccw.c
index 5730572b52cd..06ffbc96587a 100644
--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c
@@ -986,6 +986,11 @@ static void virtio_ccw_set_status(struct
virtio_device *vdev, u8 status)
ÂÂÂÂÂ if (!ccw)
ÂÂÂÂÂÂÂÂÂ return;
+ÂÂÂ /* Protected Virtualisation guest needs IOMMU */
+ÂÂÂ if (is_prot_virt_guest() &&
+ÂÂÂÂÂÂÂ !__virtio_test_bit(vdev, VIRTIO_F_IOMMU_PLATFORM))
+ÂÂÂÂÂÂÂÂÂÂÂ status &= ~VIRTIO_CONFIG_S_FEATURES_OK;
+
ÂÂÂÂÂ /* Write the status to the host. */
ÂÂÂÂÂ vcdev->dma_area->status = status;
ÂÂÂÂÂ ccw->cmd_code = CCW_CMD_WRITE_STATUS;
I wonder whether we need move it to virtio core instead of ccw.
I think the other memory protection technologies may suffer from
this as well.
Thanks
What would you think of the following, also taking into account
Connie's comment on where the test should be done:
- declare a weak function in virtio.c code, returning that memory
protection is not in use.
- overwrite the function in the arch code
- call this function inside core virtio_finalize_features() and if
required fail if the device don't have VIRTIO_F_IOMMU_PLATFORM.
I think this is fine.
Alternative could be to test a global variable that the architecture
would overwrite if needed but I find the weak function solution more
flexible.
With a function, we also have the possibility to provide the device
as argument and take actions depending it, this may answer Halil's
concern.
Regards,
Pierre
hum, in between I found another way which seems to me much better:
We already have the force_dma_unencrypted() function available which
AFAIU is what we want for encrypted memory protection and is already
used by power and x86 SEV/SME in a way that seems AFAIU compatible
with our problem.
Even DMA and IOMMU are different things, I think they should be used
together in our case.
What do you think?
The patch would then be something like:
diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
index a977e32a88f2..53476d5bbe35 100644
--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -4,6 +4,7 @@
Â#include <linux/virtio_config.h>
Â#include <linux/module.h>
Â#include <linux/idr.h>
+#include <linux/dma-direct.h>
Â#include <uapi/linux/virtio_ids.h>
Â/* Unique numbering for virtio devices. */
@@ -179,6 +180,10 @@ int virtio_finalize_features(struct virtio_device
*dev)
ÂÂÂÂÂÂÂ if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1))
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ return 0;
+ÂÂÂÂÂÂ if (force_dma_unencrypted(&dev->dev) &&
+ÂÂÂÂÂÂÂÂÂÂ !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM))
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ return -EIO;
+
ÂÂÂÂÂÂÂ virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK);
ÂÂÂÂÂÂÂ status = dev->config->get_status(dev);
ÂÂÂÂÂÂÂ if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) {
I think this can work but need to listen from Michael.
Thanks
Regards,
Pierre