Xen project Mailing List

Re: [PATCH v5 06/14] vpci/header: implement guest BAR register handlers

To: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Date: Mon, 31 Jan 2022 13:30:55 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d1TjH7lN/Tt5ocAalX20eM1hGIagS6iYx7hqGF8bsW4=; b=ByJNUNfQ9vG1GpLAqB0H0XpEUirbEmPk8qIg/FsXyXLI3XMnDrKfWaUWh6KvZdHXUO7DzAY832LHHTGDZsanuxEOoyDAqTg52p4Pcx+bgnOj2gQMg/sbGI947OT50a2uUWbhGWUX3v7MM8XWFpJWqaCjMFE4A0enZH0E3ab+1yIw+Zg6q/utSWX/R4r4ME9KOCU/kfbbJ/PXRppLLRN8VZ9tcbMvo493sV40kfKT6sbYAdEsvFHikdJKTutnJ3Jh9ETGAs0I8xFTk5iBiaB0qUylU2GYZd0pLQ0f+SlVRO4uQDmNyBSoEKHHp1kvWN4eX6WRJ0/yd0RgHKq0f4Pw5w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g45nrikckX7lX2Ey//vqzSi3hz5F6zGwJAwSkXHZ1X9wwVOg1O8dsVoU89WpPqdaq2HfjmF9uh3cpmsp6S10k0SbuWT94eB2iMlBh25DUK34Cl15Ep8LezFDFYFLK2Dsu+eOXQscqGN2Ve0P3qehpVTfkaXWXdSuRJ6TeUdk7imYSCiFffihqfssMYOq2pg7blwuUn1MtrDaLp45b3yd+sF4qsHjmff8ukbEcht4U3iizcJkU/E8RceLc/1vT8EK93rIC/EgVPHxE/xr8Fy0dfxISLL2+n7uZNnrBTTX+sztBN/5GkLsL8HZXmhZNQ0Z6feP2uZqhMxue3TJesUfxQ==

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "julien@xxxxxxx" <julien@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Artem Mygaiev <Artem_Mygaiev@xxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "paul@xxxxxxx" <paul@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Delivery-date: Mon, 31 Jan 2022 13:31:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHX4ewHyWAyD811HEGp8pIjUuVWNaxfndGAgB2tWgCAAA7+AIAACECAgAADxgCAAARsgIAAHxiA

Thread-topic: [PATCH v5 06/14] vpci/header: implement guest BAR register handlers

On 31.01.22 13:39, Jan Beulich wrote: > On 31.01.2022 12:23, Oleksandr Andrushchenko wrote: >> On 31.01.22 13:10, Roger Pau Monné wrote: >>> Right (see my previous reply to this comment). I think it would be >>> easier (and cleaner) if you switched the default behavior regarding >>> unhandled register access for domUs at the start of the series (drop >>> writes, reads returns ~0), and then you won't need to add all those >>> dummy handler to drop writes and return ~0 for reads. >>> >>> It's going to be more work initially as you would need to support >>> passthrough of more registers, but it's the right approach that we >>> need implementation wise. >> While I agree in general, this effectively means that I'll need to provide >> handling for all PCIe registers and capabilities from the very start. >> Otherwise no guest be able to properly initialize a PCI device without that. >> Of course, we may want starting from stubs instead of proper emulation, >> which will direct the access to real HW and later on we add proper emulation. >> But, again, this is going to be a rather big piece of code where we need >> to explicitly handle every possible capability. > Since the two sub-threads are now about exactly the same topic, I'm > answering here instead of there. > > No, you are not going to need to emulate all possible capabilities. > We (or really qemu) don't do this on x86 either. Certain capabilities > may be a must, but not everything. There are also device specific > registers not covered by any capability structures - what to do with > those is even more of a question. > > Furthermore for some of the fields justification why access to the > raw hardware value is fine is going to be easy: r/o fields like > vendor and device ID, for example. But every bit you allow direct > access to needs to come with justification. > >> At the moment we are not going to claim that vPCI provides all means to >> pass through a PCI device safely with this respect and this is why the >> feature >> itself won't even be a tech preview yet. For that reason I think we can still >> have implemented only crucial set of handlers and still allow the rest to >> be read/write directly without emulation. > I think you need to separate what you need for development from what > goes upstream: For dev purposes you can very well invert the policy > from white- to black-listing. But if we accepted the latter into the > main tree, the risk would be there that something gets missed at the > time where the permission model gets changed around. > > You could even have a non-default mode operating the way you want it > (along the lines of pciback's permissive mode), allowing you to get > away without needing to carry private patches. Things may also > initially only work in that mode. But the default should be a mode > which is secure (and which perhaps initially offers only very limited > functionality). Ok, so to make it clear: 1. We do not allow unhandled access for guests: for that I will create a dedicated patch which will implement such restrictions. Something like the below (for both vPCI read and write): diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c index c5e67491c24f..9ef2a1b5af58 100644 --- a/xen/drivers/vpci/vpci.c +++ b/xen/drivers/vpci/vpci.c @@ -347,6 +347,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) const struct vpci_register *r; unsigned int data_offset = 0; uint32_t data = ~(uint32_t)0; + bool handled = false; if ( !size ) { @@ -405,6 +406,8 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) if ( cmp > 0 ) continue; + handled = true; /* Found the handler for this access. */ + if ( emu.offset < r->offset ) { /* Heading gap, read partial content from hardware. */ @@ -432,6 +435,10 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, unsigned int size) } spin_unlock(&pdev->vpci_lock); + /* All unhandled guest requests return all 1's. */ + if ( !is_hardware_domain(d) && !handled ) + return ~(uint32_t)0; + if ( data_offset < size ) { /* Tailing gap, read the remaining. */ @Roger: does the above work for you? 2. For the time being, while only a reduced set of registers is emulated, everyone who wants to test vPCI for guests should either create their own patch with those handlers implemented or overcome that in any other suitable way, e.g. with a hack that removes HW register access protection or by any other means. > >> Another question is what needs to be done for vendor specific capabilities? >> How these are going to be emulated? > By vendor specific code, I'm afraid. Assuming these capabilities > really need exposing in the first place. I have a feeling this is not going to happen... > > Jan > Thank you, Oleksandr

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.