Re: [PATCH] virtio_ring: use DMA when memory encryption is active

From: Sebastian Hofmann <sebastian@kaemmelot.de>
To: Jason Wang <jasowang@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>
Cc: virtualization@lists.linux-foundation.org
Subject: Re: [PATCH] virtio_ring: use DMA when memory encryption is active
Date: Fri, 23 Oct 2020 12:55:57 +0200 (CEST)	[thread overview]
Message-ID: <1556371108.50676.1603450557595@office.mailbox.org> (raw)
In-Reply-To: <ea4d2c99-1c67-797d-29dc-d122e4856d24@redhat.com>

> Jason Wang <jasowang@redhat.com> hat am 23.10.2020 11:10 geschrieben:
> 
>  
> On 2020/10/23 下午5:00, Sebastian Hofmann wrote:
> >> Michael S. Tsirkin <mst@redhat.com> hat am 22.10.2020 13:39 geschrieben:
> >>
> >>   
> >> On Wed, Oct 21, 2020 at 05:14:25PM +0200, Sebastian Hofmann wrote:
> >>> virtio_ring does not work with active memory encryption because the host cannot read it. Fix this by enforcing the use of DMA which uses shared (unencrypted) memory pages.
> >>>
> >>> Signed-off-by: Sebastian Hofmann <sebastian@kaemmelot.de>
> >>
> >> Sorry, no.
> >> host which can not access all of driver memory must set VIRTIO_F_ACCESS_PLATFORM.
> >>
> >> Not worth it to work around broken hosts.
> >>
> >> Xen is an exception we carry around since it predates the
> >> introduction of VIRTIO_F_ACCESS_PLATFORM.
> >>
> >>
> > Thanks for pointing out VIRTIO_F_ACCESS_PLATFORM which I was not aware of. Maybe that patch was a bit naïve.
> >
> > Basically I'm looking for a way to use vsock with qemu on AMD SEV. When I try to use IOMMU for vsock I get an EOPNOTSUPP out of vhost_vsock_set_features.
> >
> > Is there a reason why vhost_vsock_set_features doesn't use vhost_init_device_iotlb as done in the net device?
> 
> 
> It's just because it has been implemented. In addition to implement 
> IOTLB, the virtio-vsock-pci must advertise ATS capability as well.
> 
> 
> > Because that would have been my next attempt.
> > I would appreciate a short comment on this idea or a recommendation for another solution that is better than the patch below.
> 
> 
> A question, is vIOMMU a must for making SEV work?

Based on the demo code from AMD where they just use "-device virtio-scsi-pci,id=scsi,disable-legacy=on,iommu_platform=true" and my understanding of IOMMU: no, I don't think so.

The ATS capability is only required for vIOMMU, right?

> 
> Thanks
> 
> 
> >
> >>> ---
> >>>   drivers/virtio/virtio_ring.c | 5 +++++
> >>>   1 file changed, 5 insertions(+)
> >>>
> >>> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> >>> index becc77697960..8c68c475ec21 100644
> >>> --- a/drivers/virtio/virtio_ring.c
> >>> +++ b/drivers/virtio/virtio_ring.c
> >>> @@ -12,6 +12,7 @@
> >>>   #include <linux/hrtimer.h>
> >>>   #include <linux/dma-mapping.h>
> >>>   #include <xen/xen.h>
> >>> +#include <linux/mem_encrypt.h>
> >>>   
> >>>   #ifdef DEBUG
> >>>   /* For development, we want to crash whenever the ring is screwed. */
> >>> @@ -255,6 +256,10 @@ static bool vring_use_dma_api(struct virtio_device *vdev)
> >>>   	if (xen_domain())
> >>>   		return true;
> >>>   
> >>> +	/* Memory encryption requires DMA */
> >>> +	if (mem_encrypt_active())
> >>> +		return true;
> >>> +
> >>>   	return false;
> >>>   }
> >>>   
> >>> -- 
> >>> 2.25.1
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization