From: Ram Pai <linuxram@us.ibm.com>
To: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: andmike@us.ibm.com, mst@redhat.com, mdroth@linux.vnet.ibm.com,
linux-kernel@vger.kernel.org, ram.n.pai@gmail.com, cai@lca.pw,
tglx@linutronix.de, sukadev@linux.vnet.ibm.com,
linuxppc-dev@lists.ozlabs.org, hch@lst.de,
bauerman@linux.ibm.com, david@gibson.dropbear.id.au
Subject: RE: [PATCH v4 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page with the hypervisor.
Date: Tue, 3 Dec 2019 16:49:58 -0800 [thread overview]
Message-ID: <20191204004958.GB5063@oc0525413822.ibm.com> (raw)
In-Reply-To: <3a17372a-fcee-efbf-0a05-282ffb1adc90@ozlabs.ru>
On Wed, Dec 04, 2019 at 11:04:04AM +1100, Alexey Kardashevskiy wrote:
>
>
> On 04/12/2019 03:52, Ram Pai wrote:
> > On Tue, Dec 03, 2019 at 03:24:37PM +1100, Alexey Kardashevskiy wrote:
> >>
> >>
> >> On 03/12/2019 15:05, Ram Pai wrote:
> >>> On Tue, Dec 03, 2019 at 01:15:04PM +1100, Alexey Kardashevskiy wrote:
> >>>>
> >>>>
> >>>> On 03/12/2019 13:08, Ram Pai wrote:
> >>>>> On Tue, Dec 03, 2019 at 11:56:43AM +1100, Alexey Kardashevskiy wrote:
> >>>>>>
> >>>>>>
> >>>>>> On 02/12/2019 17:45, Ram Pai wrote:
> >>>>>>> H_PUT_TCE_INDIRECT hcall uses a page filled with TCE entries, as one of
> >>>>>>> its parameters. One page is dedicated per cpu, for the lifetime of the
> >>>>>>> kernel for this purpose. On secure VMs, contents of this page, when
> >>>>>>> accessed by the hypervisor, retrieves encrypted TCE entries. Hypervisor
> >>>>>>> needs to know the unencrypted entries, to update the TCE table
> >>>>>>> accordingly. There is nothing secret or sensitive about these entries.
> >>>>>>> Hence share the page with the hypervisor.
> >>>>>>
> >>>>>> This unsecures a page in the guest in a random place which creates an
> >>>>>> additional attack surface which is hard to exploit indeed but
> >>>>>> nevertheless it is there.
> >>>>>> A safer option would be not to use the
> >>>>>> hcall-multi-tce hyperrtas option (which translates FW_FEATURE_MULTITCE
> >>>>>> in the guest).
> >>>>>
> >>>>>
> >>>>> Hmm... How do we not use it? AFAICT hcall-multi-tce option gets invoked
> >>>>> automatically when IOMMU option is enabled.
> >>>>
> >>>> It is advertised by QEMU but the guest does not have to use it.
> >>>
> >>> Are you suggesting that even normal-guest, not use hcall-multi-tce?
> >>> or just secure-guest?
> >>
> >>
> >> Just secure.
> >
> > hmm.. how are the TCE entries communicated to the hypervisor, if
> > hcall-multi-tce is disabled?
>
> Via H_PUT_TCE which updates 1 entry at once (sets or clears).
> hcall-multi-tce enables H_PUT_TCE_INDIRECT (512 entries at once) and
> H_STUFF_TCE (clearing, up to 4bln at once? many), these are simply an
> optimization.
Do you still think, secure-VM should use H_PUT_TCE and not
H_PUT_TCE_INDIRECT? And normal VM should use H_PUT_TCE_INDIRECT?
Is there any advantage of special casing it for secure-VMs.
In fact, we could make use of as much optimization as possible.
>
> >>>> Is not this for pci+swiotlb?
..snip..
> >>> This patch is purely to help the hypervisor setup the TCE table, in the
> >>> presence of a IOMMU.
> >>
> >> Then the hypervisor should be able to access the guest pages mapped for
> >> DMA and these pages should be made unsecure for this to work. Where/when
> >> does this happen?
> >
> > This happens in the SWIOTLB code. The code to do that is already
> > upstream.
> >
> > The sharing of the pages containing the SWIOTLB bounce buffers is done
> > in init_svm() which calls swiotlb_update_mem_attributes() which calls
> > set_memory_decrypted(). In the case of pseries, set_memory_decrypted() calls
> > uv_share_page().
>
>
> This does not seem enough as when you enforce iommu_platform=on, QEMU
> starts accessing virtio buffers via IOMMU so bounce buffers have to be
> mapped explicitly, via H_PUT_TCE&co, where does this happen?
>
I think, it happens at boot time. Every page of the guest memory is TCE
mapped, if iommu is enabled. SWIOTLB pages get implicitly TCE-mapped
as part of that operation.
RP
next prev parent reply other threads:[~2019-12-04 0:52 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-02 6:45 [PATCH v4 0/2] Enable IOMMU support for pseries Secure VMs Ram Pai
2019-12-02 6:45 ` [PATCH v4 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page with the hypervisor Ram Pai
2019-12-02 6:45 ` [PATCH v4 2/2] powerpc/pseries/iommu: Use dma_iommu_ops for Secure VMs aswell Ram Pai
2019-12-03 0:58 ` Alexey Kardashevskiy
2019-12-03 4:07 ` Ram Pai
2019-12-03 0:56 ` [PATCH v4 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page with the hypervisor Alexey Kardashevskiy
2019-12-03 2:08 ` Ram Pai
2019-12-03 2:15 ` Alexey Kardashevskiy
2019-12-03 4:05 ` Ram Pai
2019-12-03 4:24 ` Alexey Kardashevskiy
2019-12-03 16:52 ` Ram Pai
2019-12-04 0:04 ` Alexey Kardashevskiy
2019-12-04 0:49 ` Ram Pai [this message]
2019-12-04 1:08 ` Alexey Kardashevskiy
2019-12-04 3:36 ` David Gibson
2019-12-04 20:42 ` Ram Pai
2019-12-04 22:26 ` Alexey Kardashevskiy
2019-12-05 2:15 ` [PATCH v4 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page with the hypervisor.y Ram Pai
2019-12-06 23:10 ` [PATCH v4 1/2] powerpc/pseries/iommu: Share the per-cpu TCE page with the hypervisor Ram Pai
2019-12-05 8:28 ` Christoph Hellwig
2019-12-04 18:26 ` Leonardo Bras
2019-12-04 20:27 ` Ram Pai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191204004958.GB5063@oc0525413822.ibm.com \
--to=linuxram@us.ibm.com \
--cc=aik@ozlabs.ru \
--cc=andmike@us.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=cai@lca.pw \
--cc=david@gibson.dropbear.id.au \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=ram.n.pai@gmail.com \
--cc=sukadev@linux.vnet.ibm.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).