Xen project Mailing List

Re: [PATCH v5 01/15] IOMMU/x86: restrict IO-APIC mappings for PV Dom0

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 31 May 2022 17:40:03 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iXxV7bJ6vjyzQILnL6lUhIakTT67DbLkDsIxoJtck5s=; b=JgJ8cRDOqYS34XyRdMf4Qtnw6PPQYEv7zERc9OkDd/4KM6fmBWQCMnz1XCX48N04aTGk9sWYT0G9gIZ3Qc1WcJMsmOJEClgRJKWBHaFgzJyBOfzrEsNkkP+ZWRNrl+2QpY9rr3eB5MvMhm+9V0MOee8At3gdjO02nV0zEJE9HmmOJ3HRmAWc5V7GJSFleHcLGlyO0ViZ4AMin4ncTTCC4wPBBm51QNX0dlXrw40kXrOB4MSX9AaWhvxD4qEsYeD10WLBqmoTldzw2WZZbeOY0AV96Vc0t/Tk8zonHFBqYerOPkLRO8AOfCJcWUiMxIxXyTyBehj8IkavZN8/DmMVHw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HR+OBMvvbIfgohbkHci23Y8qYwz7OkQFYkFlKEnbz+ZFAInQlr7c8hbooTkWTb/bMEHOhUGYsmCzrwZAlj+IRqFeHlio9yHIE49kabTuv6uYk3qp9sIWbscg4Ih6aEPZJvnkXuTrmHDoJBi6d5g59AsPnK7A0G6PGLCl8UufWQXM/vel25R+zKGY/zm2v9qphr0gJpnlTwOlmTwNc1O5Vr7K4Gsl39kJn+PbjhlCJWSUiudUrTBYPjYSJwiLIEeFK0GpeusJGUxFvNhO4mJav047TCrZlqI25ToqGYbRJ/pN4l/ZgIpA1SCzp1EGapa9/7U8MuUsZ3UJBbFMPyHEuA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Tue, 31 May 2022 15:40:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 31.05.2022 16:40, Roger Pau Monné wrote: > On Fri, May 27, 2022 at 01:12:06PM +0200, Jan Beulich wrote: >> While already the case for PVH, there's no reason to treat PV >> differently here, though of course the addresses get taken from another >> source in this case. Except that, to match CPU side mappings, by default >> we permit r/o ones. This then also means we now deal consistently with >> IO-APICs whose MMIO is or is not covered by E820 reserved regions. >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Thanks. >> @@ -289,44 +290,75 @@ static bool __hwdom_init hwdom_iommu_map >> * that fall in unusable ranges for PV Dom0. >> */ >> if ( (pfn > max_pfn && !mfn_valid(mfn)) || xen_in_range(pfn) ) >> - return false; >> + return 0; >> >> switch ( type = page_get_ram_type(mfn) ) >> { >> case RAM_TYPE_UNUSABLE: >> - return false; >> + return 0; >> >> case RAM_TYPE_CONVENTIONAL: >> if ( iommu_hwdom_strict ) >> - return false; >> + return 0; >> break; >> >> default: >> if ( type & RAM_TYPE_RESERVED ) >> { >> if ( !iommu_hwdom_inclusive && !iommu_hwdom_reserved ) >> - return false; >> + perms = 0; >> } >> - else if ( is_hvm_domain(d) || !iommu_hwdom_inclusive || pfn > >> max_pfn ) >> - return false; >> + else if ( is_hvm_domain(d) ) >> + return 0; >> + else if ( !iommu_hwdom_inclusive || pfn > max_pfn ) >> + perms = 0; >> } >> >> /* Check that it doesn't overlap with the Interrupt Address Range. */ >> if ( pfn >= 0xfee00 && pfn <= 0xfeeff ) >> - return false; >> + return 0; >> /* ... or the IO-APIC */ >> - for ( i = 0; has_vioapic(d) && i < d->arch.hvm.nr_vioapics; i++ ) >> - if ( pfn == PFN_DOWN(domain_vioapic(d, i)->base_address) ) >> - return false; >> + if ( has_vioapic(d) ) >> + { >> + for ( i = 0; i < d->arch.hvm.nr_vioapics; i++ ) >> + if ( pfn == PFN_DOWN(domain_vioapic(d, i)->base_address) ) >> + return 0; >> + } >> + else if ( is_pv_domain(d) ) >> + { >> + /* >> + * Be consistent with CPU mappings: Dom0 is permitted to establish >> r/o >> + * ones there (also for e.g. HPET in certain cases), so it should >> also >> + * have such established for IOMMUs. >> + */ >> + if ( iomem_access_permitted(d, pfn, pfn) && >> + rangeset_contains_singleton(mmio_ro_ranges, pfn) ) >> + perms = IOMMUF_readable; >> + } >> /* >> * ... or the PCIe MCFG regions. With this comment (which I leave alone) ... >> * TODO: runtime added MMCFG regions are not checked to make sure they >> * don't overlap with already mapped regions, thus preventing trapping. >> */ >> if ( has_vpci(d) && vpci_is_mmcfg_address(d, pfn_to_paddr(pfn)) ) >> - return false; >> + return 0; >> + else if ( is_pv_domain(d) ) >> + { >> + /* >> + * Don't extend consistency with CPU mappings to PCI MMCFG regions. >> + * These shouldn't be accessed via DMA by devices. > > Could you expand the comment a bit to explicitly mention the reason > why MMCFG regions shouldn't be accessible from device DMA operations? ... it's hard to tell what I should write here. I'd expect extended reasoning to go there (if anywhere). I'd be okay adjusting the earlier comment, if only I knew what to write. "We don't want them to be accessed that way" seems a little blunt. I could say "Devices have other means to access PCI config space", but this not being said there I took as being implied. Or else what was the reason to exclude these for PVH Dom0? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.