[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] iommu: leave IOMMU enabled by default during kexec crash transition

>>> On 19.02.19 at 22:19, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 19/02/2019 07:43, Jan Beulich wrote:
>>>> An option is left for compatibility with ancient crash kernels which
>>>> didn't like to have IOMMU active under their feet on boot.
>>>> Signed-off-by: Igor Druzhinin <igor.druzhinin@xxxxxxxxxx>
>>> To provide a bit of extra background, it turns out that in hindsight,
>>> turning off the IOMMU in a crash usually makes things worse rather than
>>> better.
>> For an unknown definition of "usually". Corrupted (IOMMU) page
>> tables are not really an impossible crash reason.
> And?  Why is this relevant in context?

Because our chances of recovering (with the IOMMU still enabled)
depend on uncorrupted page tables for at least those parts of the
address space to/from which I/O is still in flight.

>>> In particular, any guest with a PCI device which happens to allocate a
>>> DMA buffer in GFN space which matches the crash region in MFN space will
>>> end up corrupting the crash kernel when DMA remapping gets turned off.
>> Indeed, but that's only PVH Dom0 (unsupported as of yet) or PV
>> Dom0 using PV IOMMU functionality (not even in tree as of yet).
> It is every single HVM guest with a PCI device.
> The kexec/crash path is very broken already in Xen as soon as any kind
> of PCI Passthrough is in use.

Indeed, as said in the other reply to Sergey, I did wrongly consider
Dom0 only here.

>>> Being able to boot with an IOMMU already active is becoming common, not
>>> least because of the ongoing efforts to enforce pre-DXE DMA protection
>>> to protect against cold-boot DMA rootkits.
>> What about the interrupt remapping part of the IOMMU functionality?
> What about it?  It is a necessary part of protection against rogue devices.

But isn't it a valid question whether keeping interrupt remapping
enabled is helpful or potentially making things worse? The
description of the patch discusses the DMA translation aspects
only. Unless the crash kernel would always operate in polling
mode only, it needs to have interrupts routed to the right
handler(s). Whether that's guaranteed with remapping left
enabled is not something that goes without saying, imo.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.