On Tue, 8 Dec 2020 11:28:29 +0100 Halil Pasic wrote: > On Tue, 8 Dec 2020 12:54:03 +1100 > David Gibson wrote: > > > > > >>> + * Virtio devices can't count on directly accessing guest > > > > >>> + * memory, so they need iommu_platform=on to use normal DMA > > > > >>> + * mechanisms. That requires also disabling legacy virtio > > > > >>> + * support for those virtio pci devices which allow it. > > > > >>> + */ > > > > >>> + object_register_sugar_prop(TYPE_VIRTIO_PCI, "disable-legacy", > > > > >>> + "on", true); > > > > >>> + object_register_sugar_prop(TYPE_VIRTIO_DEVICE, "iommu_platform", > > > > >>> + "on", false); > > > > >> > > > > >> I have not followed all the history (sorry). Should we also set iommu_platform > > > > >> for virtio-ccw? Halil? > > > > >> > > > > > > > > > > That line should add iommu_platform for all virtio devices, shouldn't > > > > > it? > > > > > > > > Yes, sorry. Was misreading that with the line above. > > > > > > > > > > I believe this is the best we can get. In a sense it is still a > > > pessimization, > > > > I'm not really clear on what you're getting at here. > > By pessimiziation, I mean that we are going to indicate > _F_PLATFORM_ACCESS even if it isn't necessary, because the guest never > opted in for confidential/memory protection/memory encryption. We have > discussed this before, and I don't see a better solution that works for > everybody. If you consider specifying the secure guest option as a way to tell QEMU to make everything ready for running a secure guest, I'd certainly consider it necessary. If you do not want to force it, you should not do the secure guest preparation setup.