Message ID | 1621914605-14724-1-git-send-email-wangxingang5@huawei.com |
---|---|
Headers | show |
Series | IOMMU: Add support for IOMMU Bypass Feature | expand |
Hi everyone, Do you have any suggestions for this series of patches. The modifications affects many modules, including new command line, PCI modules and ACPI firmware tables. There's modification in IORT DMAR and IVRS, both for arm and x86 platform. I am not sure whether the modification is appropriate in all modules, do you have any suggestions? Thanks Xingang . On 2021/5/25 11:49, Wang Xingang wrote: > From: Xingang Wang <wangxingang5@huawei.com> > > These patches add support for configure bypass_iommu on/off for > pci root bus, including primary bus and pxb root bus. At present, > all root bus will go through iommu when iommu is configured, > which is not flexible, because in many situations the need for using > iommu and bypass iommu aften exists at the same time. > > So this add option to enable/disable bypass_iommu for primary bus > and pxb root bus. The bypass_iommu property is set to false default, > meaning that devcies will go through iommu if no explicit configuration > is added. When bypass_iommu is enabled for the root bus, devices > attached to it will bypass iommu, otherwise devices will go through > iommu. > > This feature can be used in this manner: > arm: -machine virt,iommu=smmuv3,bypass_iommu=true > x86: -machine q35,bypass_iommu=true > pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true > > History: > > v3 -> v4: > - simplify the logic in building the IORT idmap > > v2 -> v3: > - rebase on top of v6.0.0-rc4 > - Took into account Eric's comments, replace with a bypass_iommu > proerty > - When building the IORT idmap, cover the whole RID space > > v1 -> v2: > - rebase on top of v6.0.0-rc0 > - Fix some issues > - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, > replace it with a property in PCIHostState. > - Add support for x86 iommu option > > Xingang Wang (8): > hw/pci/pci_host: Allow bypass iommu for pci host > hw/pxb: Add a bypass iommu property > hw/arm/virt: Add a machine option to bypass iommu for primary bus > hw/i386: Add a pc machine option to bypass iommu for primary bus > hw/pci: Add pci_bus_range to get bus number range > hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node > hw/i386/acpi-build: Add explicit scope in DMAR table > hw/i386/acpi-build: Add bypass_iommu check when building IVRS table > > hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- > hw/arm/virt.c | 26 ++++++ > hw/i386/acpi-build.c | 70 ++++++++++++++- > hw/i386/pc.c | 18 ++++ > hw/pci-bridge/pci_expander_bridge.c | 3 + > hw/pci-host/q35.c | 1 + > hw/pci/pci.c | 33 ++++++- > hw/pci/pci_host.c | 2 + > include/hw/arm/virt.h | 1 + > include/hw/i386/pc.h | 1 + > include/hw/pci/pci.h | 2 + > include/hw/pci/pci_host.h | 1 + > 12 files changed, 270 insertions(+), 23 deletions(-) >
On Tue, 25 May 2021 03:49:57 +0000 Wang Xingang <wangxingang5@huawei.com> wrote: > From: Xingang Wang <wangxingang5@huawei.com> > > These patches add support for configure bypass_iommu on/off for > pci root bus, including primary bus and pxb root bus. At present, > all root bus will go through iommu when iommu is configured, > which is not flexible, because in many situations the need for using > iommu and bypass iommu aften exists at the same time. 'many situations' doesn't describe why bypass is needed, can you provide a use-cases here and what are security implications when bypass is allowed. (PS: the later probably should be documented somewhere in the docs/option description) > So this add option to enable/disable bypass_iommu for primary bus > and pxb root bus. The bypass_iommu property is set to false default, > meaning that devcies will go through iommu if no explicit configuration > is added. When bypass_iommu is enabled for the root bus, devices > attached to it will bypass iommu, otherwise devices will go through > iommu. > > This feature can be used in this manner: > arm: -machine virt,iommu=smmuv3,bypass_iommu=true > x86: -machine q35,bypass_iommu=true > pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true > > History: > > v3 -> v4: > - simplify the logic in building the IORT idmap > > v2 -> v3: > - rebase on top of v6.0.0-rc4 > - Took into account Eric's comments, replace with a bypass_iommu > proerty > - When building the IORT idmap, cover the whole RID space > > v1 -> v2: > - rebase on top of v6.0.0-rc0 > - Fix some issues > - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, > replace it with a property in PCIHostState. > - Add support for x86 iommu option > > Xingang Wang (8): > hw/pci/pci_host: Allow bypass iommu for pci host > hw/pxb: Add a bypass iommu property > hw/arm/virt: Add a machine option to bypass iommu for primary bus > hw/i386: Add a pc machine option to bypass iommu for primary bus > hw/pci: Add pci_bus_range to get bus number range > hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node > hw/i386/acpi-build: Add explicit scope in DMAR table > hw/i386/acpi-build: Add bypass_iommu check when building IVRS table > > hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- > hw/arm/virt.c | 26 ++++++ > hw/i386/acpi-build.c | 70 ++++++++++++++- > hw/i386/pc.c | 18 ++++ > hw/pci-bridge/pci_expander_bridge.c | 3 + > hw/pci-host/q35.c | 1 + > hw/pci/pci.c | 33 ++++++- > hw/pci/pci_host.c | 2 + > include/hw/arm/virt.h | 1 + > include/hw/i386/pc.h | 1 + > include/hw/pci/pci.h | 2 + > include/hw/pci/pci_host.h | 1 + > 12 files changed, 270 insertions(+), 23 deletions(-) >
Hi Igor, On 2021/6/5 20:32, Igor Mammedov wrote: > On Tue, 25 May 2021 03:49:57 +0000 > Wang Xingang <wangxingang5@huawei.com> wrote: > >> From: Xingang Wang <wangxingang5@huawei.com> >> >> These patches add support for configure bypass_iommu on/off for >> pci root bus, including primary bus and pxb root bus. At present, >> all root bus will go through iommu when iommu is configured, >> which is not flexible, because in many situations the need for using >> iommu and bypass iommu aften exists at the same time. > > 'many situations' doesn't describe why bypass is needed, > can you provide a use-cases here and what are security implications > when bypass is allowed. > (PS: the later probably should be documented somewhere in the docs/option description) > It is possible that some devices support the iommu and some devices do not. When we need to pass through both kind of devices to a virtual machine, bypass iommu would help. E.g I have a HiSilicon network and computing encryption device(SEC), which supports both iommu and noiommu mode. If I have to use a SEC in noiommu mode along with another device which need iommu, then it would need this bypass iommu feature. Besides, bypass iommu would have less performance loss because there might be many trap in and out using a virtual iommu. However there might be potential security risks without iommu, as devices might send malicious dma requests. It would be necessary to only bypass iommu for trusted devices. Thanks Xingang >> So this add option to enable/disable bypass_iommu for primary bus >> and pxb root bus. The bypass_iommu property is set to false default, >> meaning that devcies will go through iommu if no explicit configuration >> is added. When bypass_iommu is enabled for the root bus, devices >> attached to it will bypass iommu, otherwise devices will go through >> iommu. >> >> This feature can be used in this manner: >> arm: -machine virt,iommu=smmuv3,bypass_iommu=true >> x86: -machine q35,bypass_iommu=true >> pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true >> >> History: >> >> v3 -> v4: >> - simplify the logic in building the IORT idmap >> >> v2 -> v3: >> - rebase on top of v6.0.0-rc4 >> - Took into account Eric's comments, replace with a bypass_iommu >> proerty >> - When building the IORT idmap, cover the whole RID space >> >> v1 -> v2: >> - rebase on top of v6.0.0-rc0 >> - Fix some issues >> - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, >> replace it with a property in PCIHostState. >> - Add support for x86 iommu option >> >> Xingang Wang (8): >> hw/pci/pci_host: Allow bypass iommu for pci host >> hw/pxb: Add a bypass iommu property >> hw/arm/virt: Add a machine option to bypass iommu for primary bus >> hw/i386: Add a pc machine option to bypass iommu for primary bus >> hw/pci: Add pci_bus_range to get bus number range >> hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node >> hw/i386/acpi-build: Add explicit scope in DMAR table >> hw/i386/acpi-build: Add bypass_iommu check when building IVRS table >> >> hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- >> hw/arm/virt.c | 26 ++++++ >> hw/i386/acpi-build.c | 70 ++++++++++++++- >> hw/i386/pc.c | 18 ++++ >> hw/pci-bridge/pci_expander_bridge.c | 3 + >> hw/pci-host/q35.c | 1 + >> hw/pci/pci.c | 33 ++++++- >> hw/pci/pci_host.c | 2 + >> include/hw/arm/virt.h | 1 + >> include/hw/i386/pc.h | 1 + >> include/hw/pci/pci.h | 2 + >> include/hw/pci/pci_host.h | 1 + >> 12 files changed, 270 insertions(+), 23 deletions(-) >> > > . > .
On Tue, 8 Jun 2021 20:24:35 +0800 Xingang Wang <wangxingang5@huawei.com> wrote: > Hi Igor, > > On 2021/6/5 20:32, Igor Mammedov wrote: > > On Tue, 25 May 2021 03:49:57 +0000 > > Wang Xingang <wangxingang5@huawei.com> wrote: > > > >> From: Xingang Wang <wangxingang5@huawei.com> > >> > >> These patches add support for configure bypass_iommu on/off for > >> pci root bus, including primary bus and pxb root bus. At present, > >> all root bus will go through iommu when iommu is configured, > >> which is not flexible, because in many situations the need for using > >> iommu and bypass iommu aften exists at the same time. > > > > 'many situations' doesn't describe why bypass is needed, > > can you provide a use-cases here and what are security implications > > when bypass is allowed. > > (PS: the later probably should be documented somewhere in the docs/option description) > > > > It is possible that some devices support the iommu and some devices do > not. When we need to pass through both kind of devices to a virtual > machine, bypass iommu would help. > > E.g I have a HiSilicon network and computing encryption device(SEC), > which supports both iommu and noiommu mode. If I have to use a SEC in > noiommu mode along with another device which need iommu, then it would > need this bypass iommu feature. > > Besides, bypass iommu would have less performance loss because there > might be many trap in and out using a virtual iommu. usually if one enables 'iommu', one wants the isolation it provides. so the bypass option negates that. Why not just use machine with IOMMU disabled globally in the first place? > However there might be potential security risks without iommu, > as devices might send malicious dma requests. > It would be necessary to only bypass iommu for trusted devices. that's what I was worried about, at least it should be documented or a warning printed to discourage using the feature. > > Thanks > > Xingang > > >> So this add option to enable/disable bypass_iommu for primary bus > >> and pxb root bus. The bypass_iommu property is set to false default, > >> meaning that devcies will go through iommu if no explicit configuration > >> is added. When bypass_iommu is enabled for the root bus, devices > >> attached to it will bypass iommu, otherwise devices will go through > >> iommu. > >> > >> This feature can be used in this manner: > >> arm: -machine virt,iommu=smmuv3,bypass_iommu=true > >> x86: -machine q35,bypass_iommu=true > >> pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true > >> > >> History: > >> > >> v3 -> v4: > >> - simplify the logic in building the IORT idmap > >> > >> v2 -> v3: > >> - rebase on top of v6.0.0-rc4 > >> - Took into account Eric's comments, replace with a bypass_iommu > >> proerty > >> - When building the IORT idmap, cover the whole RID space > >> > >> v1 -> v2: > >> - rebase on top of v6.0.0-rc0 > >> - Fix some issues > >> - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, > >> replace it with a property in PCIHostState. > >> - Add support for x86 iommu option > >> > >> Xingang Wang (8): > >> hw/pci/pci_host: Allow bypass iommu for pci host > >> hw/pxb: Add a bypass iommu property > >> hw/arm/virt: Add a machine option to bypass iommu for primary bus > >> hw/i386: Add a pc machine option to bypass iommu for primary bus > >> hw/pci: Add pci_bus_range to get bus number range > >> hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node > >> hw/i386/acpi-build: Add explicit scope in DMAR table > >> hw/i386/acpi-build: Add bypass_iommu check when building IVRS table > >> > >> hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- > >> hw/arm/virt.c | 26 ++++++ > >> hw/i386/acpi-build.c | 70 ++++++++++++++- > >> hw/i386/pc.c | 18 ++++ > >> hw/pci-bridge/pci_expander_bridge.c | 3 + > >> hw/pci-host/q35.c | 1 + > >> hw/pci/pci.c | 33 ++++++- > >> hw/pci/pci_host.c | 2 + > >> include/hw/arm/virt.h | 1 + > >> include/hw/i386/pc.h | 1 + > >> include/hw/pci/pci.h | 2 + > >> include/hw/pci/pci_host.h | 1 + > >> 12 files changed, 270 insertions(+), 23 deletions(-) > >> > > > > . > > > > . >
Hi Igor, On 2021/6/8 21:38, Igor Mammedov wrote: > On Tue, 8 Jun 2021 20:24:35 +0800 > Xingang Wang <wangxingang5@huawei.com> wrote: > >> Hi Igor, >> >> On 2021/6/5 20:32, Igor Mammedov wrote: >>> On Tue, 25 May 2021 03:49:57 +0000 >>> Wang Xingang <wangxingang5@huawei.com> wrote: >>> >>>> From: Xingang Wang <wangxingang5@huawei.com> >>>> >>>> These patches add support for configure bypass_iommu on/off for >>>> pci root bus, including primary bus and pxb root bus. At present, >>>> all root bus will go through iommu when iommu is configured, >>>> which is not flexible, because in many situations the need for using >>>> iommu and bypass iommu aften exists at the same time. >>> >>> 'many situations' doesn't describe why bypass is needed, >>> can you provide a use-cases here and what are security implications >>> when bypass is allowed. >>> (PS: the later probably should be documented somewhere in the docs/option description) >>> >> >> It is possible that some devices support the iommu and some devices do >> not. When we need to pass through both kind of devices to a virtual >> machine, bypass iommu would help. >> >> E.g I have a HiSilicon network and computing encryption device(SEC), >> which supports both iommu and noiommu mode. If I have to use a SEC in >> noiommu mode along with another device which need iommu, then it would >> need this bypass iommu feature. >> >> Besides, bypass iommu would have less performance loss because there >> might be many trap in and out using a virtual iommu. > usually if one enables 'iommu', one wants the isolation it provides. > so the bypass option negates that. Why not just use machine with IOMMU > disabled globally in the first place? > I am considering the situation that devices with IOMMU enabled and devices with IOMMU disabled are used at the same time. Right now there's only one global switch to check whether IOMMU will be used, which is not flexible for this kind of usage. To keep consistent with previous usages with global IOMMU switch enabled, IOMMU is enabled by default if no bypass option is set. >> However there might be potential security risks without iommu, >> as devices might send malicious dma requests. >> It would be necessary to only bypass iommu for trusted devices. > that's what I was worried about, at least it should be documented > or a warning printed to discourage using the feature. > Thanks for your suggestions, I will try to add enough explanation in docs and add warning for usage of iommu bypass. >> >> Thanks >> >> Xingang >> >>>> So this add option to enable/disable bypass_iommu for primary bus >>>> and pxb root bus. The bypass_iommu property is set to false default, >>>> meaning that devcies will go through iommu if no explicit configuration >>>> is added. When bypass_iommu is enabled for the root bus, devices >>>> attached to it will bypass iommu, otherwise devices will go through >>>> iommu. >>>> >>>> This feature can be used in this manner: >>>> arm: -machine virt,iommu=smmuv3,bypass_iommu=true >>>> x86: -machine q35,bypass_iommu=true >>>> pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true >>>> >>>> History: >>>> >>>> v3 -> v4: >>>> - simplify the logic in building the IORT idmap >>>> >>>> v2 -> v3: >>>> - rebase on top of v6.0.0-rc4 >>>> - Took into account Eric's comments, replace with a bypass_iommu >>>> proerty >>>> - When building the IORT idmap, cover the whole RID space >>>> >>>> v1 -> v2: >>>> - rebase on top of v6.0.0-rc0 >>>> - Fix some issues >>>> - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, >>>> replace it with a property in PCIHostState. >>>> - Add support for x86 iommu option >>>> >>>> Xingang Wang (8): >>>> hw/pci/pci_host: Allow bypass iommu for pci host >>>> hw/pxb: Add a bypass iommu property >>>> hw/arm/virt: Add a machine option to bypass iommu for primary bus >>>> hw/i386: Add a pc machine option to bypass iommu for primary bus >>>> hw/pci: Add pci_bus_range to get bus number range >>>> hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node >>>> hw/i386/acpi-build: Add explicit scope in DMAR table >>>> hw/i386/acpi-build: Add bypass_iommu check when building IVRS table >>>> >>>> hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- >>>> hw/arm/virt.c | 26 ++++++ >>>> hw/i386/acpi-build.c | 70 ++++++++++++++- >>>> hw/i386/pc.c | 18 ++++ >>>> hw/pci-bridge/pci_expander_bridge.c | 3 + >>>> hw/pci-host/q35.c | 1 + >>>> hw/pci/pci.c | 33 ++++++- >>>> hw/pci/pci_host.c | 2 + >>>> include/hw/arm/virt.h | 1 + >>>> include/hw/i386/pc.h | 1 + >>>> include/hw/pci/pci.h | 2 + >>>> include/hw/pci/pci_host.h | 1 + >>>> 12 files changed, 270 insertions(+), 23 deletions(-) >>>> >>> >>> . >>> >> >> . >> > > . > .
From: Xingang Wang <wangxingang5@huawei.com> These patches add support for configure bypass_iommu on/off for pci root bus, including primary bus and pxb root bus. At present, all root bus will go through iommu when iommu is configured, which is not flexible, because in many situations the need for using iommu and bypass iommu aften exists at the same time. So this add option to enable/disable bypass_iommu for primary bus and pxb root bus. The bypass_iommu property is set to false default, meaning that devcies will go through iommu if no explicit configuration is added. When bypass_iommu is enabled for the root bus, devices attached to it will bypass iommu, otherwise devices will go through iommu. This feature can be used in this manner: arm: -machine virt,iommu=smmuv3,bypass_iommu=true x86: -machine q35,bypass_iommu=true pxb: -device pxb-pcie,bus_nr=0x10,id=pci.10,bus=pcie.0,bypass_iommu=true History: v3 -> v4: - simplify the logic in building the IORT idmap v2 -> v3: - rebase on top of v6.0.0-rc4 - Took into account Eric's comments, replace with a bypass_iommu proerty - When building the IORT idmap, cover the whole RID space v1 -> v2: - rebase on top of v6.0.0-rc0 - Fix some issues - Took into account Eric's comments, and remove the PCI_BUS_IOMMU flag, replace it with a property in PCIHostState. - Add support for x86 iommu option Xingang Wang (8): hw/pci/pci_host: Allow bypass iommu for pci host hw/pxb: Add a bypass iommu property hw/arm/virt: Add a machine option to bypass iommu for primary bus hw/i386: Add a pc machine option to bypass iommu for primary bus hw/pci: Add pci_bus_range to get bus number range hw/arm/virt-acpi-build: Add explicit IORT idmap for smmuv3 node hw/i386/acpi-build: Add explicit scope in DMAR table hw/i386/acpi-build: Add bypass_iommu check when building IVRS table hw/arm/virt-acpi-build.c | 135 ++++++++++++++++++++++++---- hw/arm/virt.c | 26 ++++++ hw/i386/acpi-build.c | 70 ++++++++++++++- hw/i386/pc.c | 18 ++++ hw/pci-bridge/pci_expander_bridge.c | 3 + hw/pci-host/q35.c | 1 + hw/pci/pci.c | 33 ++++++- hw/pci/pci_host.c | 2 + include/hw/arm/virt.h | 1 + include/hw/i386/pc.h | 1 + include/hw/pci/pci.h | 2 + include/hw/pci/pci_host.h | 1 + 12 files changed, 270 insertions(+), 23 deletions(-)