RE: [PATCH 10/11] xen/arm: device assignment on 1:1 direct-map domain

From: Penny Zheng <Penny.Zheng@arm.com>
To: Julien Grall <julien@xen.org>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	"sstabellini@kernel.org" <sstabellini@kernel.org>
Cc: Bertrand Marquis <Bertrand.Marquis@arm.com>, Wei Chen <Wei.Chen@arm.com>
Subject: RE: [PATCH 10/11] xen/arm: device assignment on 1:1 direct-map domain
Date: Sat, 9 Oct 2021 09:40:46 +0000	[thread overview]
Message-ID: <VE1PR08MB5215A1D5695F388F17C367D4F7B39@VE1PR08MB5215.eurprd08.prod.outlook.com> (raw)
In-Reply-To: <c6730ec5-53c7-9bf2-4620-eefbc7c7c4a3@xen.org>

Hi Julien

> -----Original Message-----
> From: Julien Grall <julien@xen.org>
> Sent: Thursday, September 23, 2021 7:27 PM
> To: Penny Zheng <Penny.Zheng@arm.com>; xen-devel@lists.xenproject.org;
> sstabellini@kernel.org
> Cc: Bertrand Marquis <Bertrand.Marquis@arm.com>; Wei Chen
> <Wei.Chen@arm.com>
> Subject: Re: [PATCH 10/11] xen/arm: device assignment on 1:1 direct-map
> domain
> 
> Hi,
> 
> On 23/09/2021 08:11, Penny Zheng wrote:
> > User could do device passthrough, with
> > "xen,force-assign-without-iommu" in the device tree snippet, on
> > trusted guest through 1:1 direct-map, if IOMMU absent or disabled on
> hardware.
> 
> At the moment, it would be possible to passthrough a non-DMA capable
> device with direct-mapping. After this patch, this is going to be forbidden.
> 
> >
> > In order to achieve that, this patch adds 1:1 direct-map check and
> > disables iommu-related action.
> >
> > Signed-off-by: Penny Zheng <penny.zheng@arm.com>
> > ---
> >   xen/arch/arm/domain_build.c | 12 ++++++++----
> >   1 file changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
> > index c92e510ae7..9a9d2522b7 100644
> > --- a/xen/arch/arm/domain_build.c
> > +++ b/xen/arch/arm/domain_build.c
> > @@ -2070,14 +2070,18 @@ static int __init
> handle_passthrough_prop(struct kernel_info *kinfo,
> >       if ( res < 0 )
> >           return res;
> >
> > +    /*
> > +     * If xen_force, we allow assignment of devices without IOMMU
> protection.
> > +     * And if IOMMU is disabled or absent, 1:1 direct-map is necessary > +
> */
> > +    if ( xen_force && is_domain_direct_mapped(kinfo->d) &&
> > +         !dt_device_is_protected(node) )
> 
> dt_device_is_protected() will be always false unless the device is protected
> behing an SMMU using the legacy binding. So I don't think this is correct to
> move this check ahead. In fact..
> 
> > +        return 0;
> > +
> >       res = iommu_add_dt_device(node);
> 
> ... the call should already be a NOP when the IOMMU is disabled or the
> device is not behind an IOMMU. So can you explain what you are trying to
> prevent here?
> 

If the IOMMU is disabled, iommu_add_dt_device will return 1 as errno. 
So we could not make it to the xen_force check...

So I tried to move all IOMMU action behind xen_force check.

Now, device assignment without IOMMU protection is only
applicable on direct-map domains, so this commit also adds
is_domain_direct_mapped check together with xen_force check.

> >       if ( res < 0 )
> >           return res;
> >
> > -    /* If xen_force, we allow assignment of devices without IOMMU
> protection. */
> > -    if ( xen_force && !dt_device_is_protected(node) )
> > -        return 0;
> > -
> >       return iommu_assign_dt_device(kinfo->d, node);
> >   }
> >
> >
> 
> Cheers,
> 
> --
> Julien Grall