All of lore.kernel.org
 help / color / mirror / Atom feed
* [virtio-dev] [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS
@ 2021-02-25 17:53 Jean-Philippe Brucker
  2021-02-25 19:11 ` [virtio-dev] " Michael S. Tsirkin
  0 siblings, 1 reply; 4+ messages in thread
From: Jean-Philippe Brucker @ 2021-02-25 17:53 UTC (permalink / raw)
  To: virtio-dev; +Cc: eric.auger, mst, kevin.tian, Jean-Philippe Brucker

Specify the behavior of the device before feature negotiation.
Implementations that allow DMA to bypass the IOMMU during boot inform
the driver by setting the VIRTIO_IOMMU_F_BOOT_BYPASS feature.
Negotiating the feature doesn't have any effect.

Clarify the description for VIRTIO_IOMMU_F_BYPASS while we're at it,
because "downstream of the IOMMU" is confusing.

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
 virtio-iommu.tex | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/virtio-iommu.tex b/virtio-iommu.tex
index 08b358a..4f34a14 100644
--- a/virtio-iommu.tex
+++ b/virtio-iommu.tex
@@ -59,7 +59,7 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
   VIRTIO_IOMMU_F_MAP_UNMAP is supported.}
 
 \item[VIRTIO_IOMMU_F_BYPASS (3)]
-  When not attached to a domain, endpoints downstream of the IOMMU
+  When not attached to a domain, endpoints managed by the IOMMU
   can access the guest-physical address space.
 
 \item[VIRTIO_IOMMU_F_PROBE (4)]
@@ -67,6 +67,10 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
 
 \item[VIRTIO_IOMMU_F_MMIO (5)]
   The VIRTIO_IOMMU_MAP_F_MMIO flag is available.
+
+\item[VIRTIO_IOMMU_F_BOOT_BYPASS (6)]
+  Before feature negotiation, endpoints managed by the IOMMU
+  can access the guest-physical address space.
 \end{description}
 
 \drivernormative{\subsubsection}{Feature bits}{Device Types / IOMMU Device / Feature bits}
@@ -114,12 +118,15 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
 
 When the device is reset, endpoints are not attached to any domain.
 
-If the VIRTIO_IOMMU_F_BYPASS feature is negotiated, all accesses from
-unattached endpoints are allowed and translated by the IOMMU using the
-identity function. If the feature is not negotiated, any memory access
-from an unattached endpoint fails. Upon attaching an endpoint in
-bypass mode to a new domain, any memory access from the endpoint fails,
-since the domain does not contain any mapping.
+Memory accesses from an endpoint bypass the IOMMU, that is all
+accesses are allowed and translated using the identity function,
+in the following cases:
+\begin{itemize}
+\item If the VIRTIO_IOMMU_F_BOOT_BYPASS feature is offered and
+  the FEATURES_OK status bit is not set.
+\item If the VIRTIO_IOMMU_F_BYPASS feature is negotiated and the
+  endpoint is not attached to a domain.
+\end{itemize}
 
 Future devices might support more modes of operation besides MAP/UNMAP.
 Drivers verify that devices set VIRTIO_IOMMU_F_MAP_UNMAP and fail
@@ -136,8 +143,13 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
 
 \devicenormative{\subsubsection}{Device Initialization}{Device Types / IOMMU Device / Device Initialization}
 
+If the device does not offer the VIRTIO_IOMMU_F_BOOT_BYPASS
+feature, it SHOULD NOT let endpoints access the guest-physical
+address space before feature negotiation is complete.
+
 If the driver does not accept the VIRTIO_IOMMU_F_BYPASS feature, the
-device SHOULD NOT let endpoints access the guest-physical address space.
+device SHOULD NOT let endpoints access the guest-physical address space
+after feature negotiation is complete.
 
 \subsection{Device operations}\label{sec:Device Types / IOMMU Device / Device operations}
 
-- 
2.30.1


---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [virtio-dev] Re: [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS
  2021-02-25 17:53 [virtio-dev] [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS Jean-Philippe Brucker
@ 2021-02-25 19:11 ` Michael S. Tsirkin
  2021-02-26 12:13   ` Jean-Philippe Brucker
  0 siblings, 1 reply; 4+ messages in thread
From: Michael S. Tsirkin @ 2021-02-25 19:11 UTC (permalink / raw)
  To: Jean-Philippe Brucker; +Cc: virtio-dev, eric.auger, kevin.tian

On Thu, Feb 25, 2021 at 06:53:15PM +0100, Jean-Philippe Brucker wrote:
> Specify the behavior of the device before feature negotiation.
> Implementations that allow DMA to bypass the IOMMU during boot inform
> the driver by setting the VIRTIO_IOMMU_F_BOOT_BYPASS feature.
> Negotiating the feature doesn't have any effect.

from spec text it kind of looks like it does, after
FEATURES_OK devices are disallowed access?

> Clarify the description for VIRTIO_IOMMU_F_BYPASS while we're at it,
> because "downstream of the IOMMU" is confusing.
> 
> Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

are the two bypass features dependend on each other then?

> ---
>  virtio-iommu.tex | 28 ++++++++++++++++++++--------
>  1 file changed, 20 insertions(+), 8 deletions(-)
> 
> diff --git a/virtio-iommu.tex b/virtio-iommu.tex
> index 08b358a..4f34a14 100644
> --- a/virtio-iommu.tex
> +++ b/virtio-iommu.tex
> @@ -59,7 +59,7 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
>    VIRTIO_IOMMU_F_MAP_UNMAP is supported.}
>  
>  \item[VIRTIO_IOMMU_F_BYPASS (3)]
> -  When not attached to a domain, endpoints downstream of the IOMMU
> +  When not attached to a domain, endpoints managed by the IOMMU
>    can access the guest-physical address space.
>  
>  \item[VIRTIO_IOMMU_F_PROBE (4)]
> @@ -67,6 +67,10 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
>  
>  \item[VIRTIO_IOMMU_F_MMIO (5)]
>    The VIRTIO_IOMMU_MAP_F_MMIO flag is available.
> +
> +\item[VIRTIO_IOMMU_F_BOOT_BYPASS (6)]
> +  Before feature negotiation, endpoints managed by the IOMMU
> +  can access the guest-physical address space.
>  \end{description}
>  
>  \drivernormative{\subsubsection}{Feature bits}{Device Types / IOMMU Device / Feature bits}
> @@ -114,12 +118,15 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
>  
>  When the device is reset, endpoints are not attached to any domain.
>  
> -If the VIRTIO_IOMMU_F_BYPASS feature is negotiated, all accesses from
> -unattached endpoints are allowed and translated by the IOMMU using the
> -identity function. If the feature is not negotiated, any memory access
> -from an unattached endpoint fails. Upon attaching an endpoint in
> -bypass mode to a new domain, any memory access from the endpoint fails,
> -since the domain does not contain any mapping.
> +Memory accesses from an endpoint bypass the IOMMU, that is all
> +accesses are allowed and translated using the identity function,
> +in the following cases:
> +\begin{itemize}
> +\item If the VIRTIO_IOMMU_F_BOOT_BYPASS feature is offered and
> +  the FEATURES_OK status bit is not set.

confused. so this feature *only* has effect before FEATURES_OK?


> +\item If the VIRTIO_IOMMU_F_BYPASS feature is negotiated and the
> +  endpoint is not attached to a domain.
> +\end{itemize}
>  
>  Future devices might support more modes of operation besides MAP/UNMAP.
>  Drivers verify that devices set VIRTIO_IOMMU_F_MAP_UNMAP and fail
> @@ -136,8 +143,13 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
>  
>  \devicenormative{\subsubsection}{Device Initialization}{Device Types / IOMMU Device / Device Initialization}
>  
> +If the device does not offer the VIRTIO_IOMMU_F_BOOT_BYPASS
> +feature, it SHOULD NOT let endpoints access the guest-physical
> +address space before feature negotiation is complete.
> +
>  If the driver does not accept the VIRTIO_IOMMU_F_BYPASS feature, the
> -device SHOULD NOT let endpoints access the guest-physical address space.
> +device SHOULD NOT let endpoints access the guest-physical address space
> +after feature negotiation is complete.


sounds weird as if they are only allowed access before feature
negotiation. likely not what you meant.


>  
>  \subsection{Device operations}\label{sec:Device Types / IOMMU Device / Device operations}
>  
> -- 
> 2.30.1


---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [virtio-dev] Re: [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS
  2021-02-25 19:11 ` [virtio-dev] " Michael S. Tsirkin
@ 2021-02-26 12:13   ` Jean-Philippe Brucker
  2021-03-22 14:16     ` Michael S. Tsirkin
  0 siblings, 1 reply; 4+ messages in thread
From: Jean-Philippe Brucker @ 2021-02-26 12:13 UTC (permalink / raw)
  To: Michael S. Tsirkin; +Cc: virtio-dev, eric.auger, kevin.tian

On Thu, Feb 25, 2021 at 02:11:17PM -0500, Michael S. Tsirkin wrote:
> On Thu, Feb 25, 2021 at 06:53:15PM +0100, Jean-Philippe Brucker wrote:
> > Specify the behavior of the device before feature negotiation.
> > Implementations that allow DMA to bypass the IOMMU during boot inform
> > the driver by setting the VIRTIO_IOMMU_F_BOOT_BYPASS feature.
> > Negotiating the feature doesn't have any effect.
> 
> from spec text it kind of looks like it does, after
> FEATURES_OK devices are disallowed access?

Before FEATURES_OK the BOOT_BYPASS feature defines the policy chosen by
the device implementation.  After FEATURES_OK the driver overrides this
policy using the BYPASS feature.

Thinking more about this, we can't redefine F_BYPASS now (QEMU offers it),
but I'm tempted to deprecate it and replace it with a new feature bit that
indicates presence of a bypass field in config space. Device sets the byte
to 0 or 1 to declare its default bypass policy, and driver can override
this by writing 0 or 1 (currently done by accepting or refusing F_BYPASS).
It would be a lot cleaner than this.

Or just state that the boot-bypass behavior is up to the implementation
and leave it at that.

> > Clarify the description for VIRTIO_IOMMU_F_BYPASS while we're at it,
> > because "downstream of the IOMMU" is confusing.
> > 
> > Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
> 
> are the two bypass features dependend on each other then?

No the device can offer one without the other.

Thanks,
Jean

> 
> > ---
> >  virtio-iommu.tex | 28 ++++++++++++++++++++--------
> >  1 file changed, 20 insertions(+), 8 deletions(-)
> > 
> > diff --git a/virtio-iommu.tex b/virtio-iommu.tex
> > index 08b358a..4f34a14 100644
> > --- a/virtio-iommu.tex
> > +++ b/virtio-iommu.tex
> > @@ -59,7 +59,7 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
> >    VIRTIO_IOMMU_F_MAP_UNMAP is supported.}
> >  
> >  \item[VIRTIO_IOMMU_F_BYPASS (3)]
> > -  When not attached to a domain, endpoints downstream of the IOMMU
> > +  When not attached to a domain, endpoints managed by the IOMMU
> >    can access the guest-physical address space.
> >  
> >  \item[VIRTIO_IOMMU_F_PROBE (4)]
> > @@ -67,6 +67,10 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
> >  
> >  \item[VIRTIO_IOMMU_F_MMIO (5)]
> >    The VIRTIO_IOMMU_MAP_F_MMIO flag is available.
> > +
> > +\item[VIRTIO_IOMMU_F_BOOT_BYPASS (6)]
> > +  Before feature negotiation, endpoints managed by the IOMMU
> > +  can access the guest-physical address space.
> >  \end{description}
> >  
> >  \drivernormative{\subsubsection}{Feature bits}{Device Types / IOMMU Device / Feature bits}
> > @@ -114,12 +118,15 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
> >  
> >  When the device is reset, endpoints are not attached to any domain.
> >  
> > -If the VIRTIO_IOMMU_F_BYPASS feature is negotiated, all accesses from
> > -unattached endpoints are allowed and translated by the IOMMU using the
> > -identity function. If the feature is not negotiated, any memory access
> > -from an unattached endpoint fails. Upon attaching an endpoint in
> > -bypass mode to a new domain, any memory access from the endpoint fails,
> > -since the domain does not contain any mapping.
> > +Memory accesses from an endpoint bypass the IOMMU, that is all
> > +accesses are allowed and translated using the identity function,
> > +in the following cases:
> > +\begin{itemize}
> > +\item If the VIRTIO_IOMMU_F_BOOT_BYPASS feature is offered and
> > +  the FEATURES_OK status bit is not set.
> 
> confused. so this feature *only* has effect before FEATURES_OK?
> 
> 
> > +\item If the VIRTIO_IOMMU_F_BYPASS feature is negotiated and the
> > +  endpoint is not attached to a domain.
> > +\end{itemize}
> >  
> >  Future devices might support more modes of operation besides MAP/UNMAP.
> >  Drivers verify that devices set VIRTIO_IOMMU_F_MAP_UNMAP and fail
> > @@ -136,8 +143,13 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
> >  
> >  \devicenormative{\subsubsection}{Device Initialization}{Device Types / IOMMU Device / Device Initialization}
> >  
> > +If the device does not offer the VIRTIO_IOMMU_F_BOOT_BYPASS
> > +feature, it SHOULD NOT let endpoints access the guest-physical
> > +address space before feature negotiation is complete.
> > +
> >  If the driver does not accept the VIRTIO_IOMMU_F_BYPASS feature, the
> > -device SHOULD NOT let endpoints access the guest-physical address space.
> > +device SHOULD NOT let endpoints access the guest-physical address space
> > +after feature negotiation is complete.
> 
> 
> sounds weird as if they are only allowed access before feature
> negotiation. likely not what you meant.
> 
> 
> >  
> >  \subsection{Device operations}\label{sec:Device Types / IOMMU Device / Device operations}
> >  
> > -- 
> > 2.30.1
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [virtio-dev] Re: [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS
  2021-02-26 12:13   ` Jean-Philippe Brucker
@ 2021-03-22 14:16     ` Michael S. Tsirkin
  0 siblings, 0 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2021-03-22 14:16 UTC (permalink / raw)
  To: Jean-Philippe Brucker; +Cc: virtio-dev, eric.auger, kevin.tian

On Fri, Feb 26, 2021 at 01:13:52PM +0100, Jean-Philippe Brucker wrote:
> On Thu, Feb 25, 2021 at 02:11:17PM -0500, Michael S. Tsirkin wrote:
> > On Thu, Feb 25, 2021 at 06:53:15PM +0100, Jean-Philippe Brucker wrote:
> > > Specify the behavior of the device before feature negotiation.
> > > Implementations that allow DMA to bypass the IOMMU during boot inform
> > > the driver by setting the VIRTIO_IOMMU_F_BOOT_BYPASS feature.
> > > Negotiating the feature doesn't have any effect.
> > 
> > from spec text it kind of looks like it does, after
> > FEATURES_OK devices are disallowed access?
> 
> Before FEATURES_OK the BOOT_BYPASS feature defines the policy chosen by
> the device implementation.  After FEATURES_OK the driver overrides this
> policy using the BYPASS feature.
> 
> Thinking more about this, we can't redefine F_BYPASS now (QEMU offers it),
> but I'm tempted to deprecate it and replace it with a new feature bit that
> indicates presence of a bypass field in config space. Device sets the byte
> to 0 or 1 to declare its default bypass policy, and driver can override
> this by writing 0 or 1 (currently done by accepting or refusing F_BYPASS).
> It would be a lot cleaner than this.

that sounds reasonable. we don't have a deprecation mechanism
but we can have a non-normative text suggesting this is avoided.

> Or just state that the boot-bypass behavior is up to the implementation
> and leave it at that.

not sure it's a good idea given we already made promises in the spec
and implementations might rely on them for security.

> > > Clarify the description for VIRTIO_IOMMU_F_BYPASS while we're at it,
> > > because "downstream of the IOMMU" is confusing.
> > > 
> > > Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
> > 
> > are the two bypass features dependend on each other then?
> 
> No the device can offer one without the other.
> 
> Thanks,
> Jean
> 
> > 
> > > ---
> > >  virtio-iommu.tex | 28 ++++++++++++++++++++--------
> > >  1 file changed, 20 insertions(+), 8 deletions(-)
> > > 
> > > diff --git a/virtio-iommu.tex b/virtio-iommu.tex
> > > index 08b358a..4f34a14 100644
> > > --- a/virtio-iommu.tex
> > > +++ b/virtio-iommu.tex
> > > @@ -59,7 +59,7 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
> > >    VIRTIO_IOMMU_F_MAP_UNMAP is supported.}
> > >  
> > >  \item[VIRTIO_IOMMU_F_BYPASS (3)]
> > > -  When not attached to a domain, endpoints downstream of the IOMMU
> > > +  When not attached to a domain, endpoints managed by the IOMMU
> > >    can access the guest-physical address space.
> > >  
> > >  \item[VIRTIO_IOMMU_F_PROBE (4)]
> > > @@ -67,6 +67,10 @@ \subsection{Feature bits}\label{sec:Device Types / IOMMU Device / Feature bits}
> > >  
> > >  \item[VIRTIO_IOMMU_F_MMIO (5)]
> > >    The VIRTIO_IOMMU_MAP_F_MMIO flag is available.
> > > +
> > > +\item[VIRTIO_IOMMU_F_BOOT_BYPASS (6)]
> > > +  Before feature negotiation, endpoints managed by the IOMMU
> > > +  can access the guest-physical address space.
> > >  \end{description}
> > >  
> > >  \drivernormative{\subsubsection}{Feature bits}{Device Types / IOMMU Device / Feature bits}
> > > @@ -114,12 +118,15 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
> > >  
> > >  When the device is reset, endpoints are not attached to any domain.
> > >  
> > > -If the VIRTIO_IOMMU_F_BYPASS feature is negotiated, all accesses from
> > > -unattached endpoints are allowed and translated by the IOMMU using the
> > > -identity function. If the feature is not negotiated, any memory access
> > > -from an unattached endpoint fails. Upon attaching an endpoint in
> > > -bypass mode to a new domain, any memory access from the endpoint fails,
> > > -since the domain does not contain any mapping.
> > > +Memory accesses from an endpoint bypass the IOMMU, that is all
> > > +accesses are allowed and translated using the identity function,
> > > +in the following cases:
> > > +\begin{itemize}
> > > +\item If the VIRTIO_IOMMU_F_BOOT_BYPASS feature is offered and
> > > +  the FEATURES_OK status bit is not set.
> > 
> > confused. so this feature *only* has effect before FEATURES_OK?
> > 
> > 
> > > +\item If the VIRTIO_IOMMU_F_BYPASS feature is negotiated and the
> > > +  endpoint is not attached to a domain.
> > > +\end{itemize}
> > >  
> > >  Future devices might support more modes of operation besides MAP/UNMAP.
> > >  Drivers verify that devices set VIRTIO_IOMMU_F_MAP_UNMAP and fail
> > > @@ -136,8 +143,13 @@ \subsection{Device initialization}\label{sec:Device Types / IOMMU Device / Devic
> > >  
> > >  \devicenormative{\subsubsection}{Device Initialization}{Device Types / IOMMU Device / Device Initialization}
> > >  
> > > +If the device does not offer the VIRTIO_IOMMU_F_BOOT_BYPASS
> > > +feature, it SHOULD NOT let endpoints access the guest-physical
> > > +address space before feature negotiation is complete.
> > > +
> > >  If the driver does not accept the VIRTIO_IOMMU_F_BYPASS feature, the
> > > -device SHOULD NOT let endpoints access the guest-physical address space.
> > > +device SHOULD NOT let endpoints access the guest-physical address space
> > > +after feature negotiation is complete.
> > 
> > 
> > sounds weird as if they are only allowed access before feature
> > negotiation. likely not what you meant.
> > 
> > 
> > >  
> > >  \subsection{Device operations}\label{sec:Device Types / IOMMU Device / Device operations}
> > >  
> > > -- 
> > > 2.30.1
> > 


---------------------------------------------------------------------
To unsubscribe, e-mail: virtio-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: virtio-dev-help@lists.oasis-open.org


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-22 14:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-25 17:53 [virtio-dev] [PATCH] virtio-iommu: Add VIRTIO_IOMMU_F_BOOT_BYPASS Jean-Philippe Brucker
2021-02-25 19:11 ` [virtio-dev] " Michael S. Tsirkin
2021-02-26 12:13   ` Jean-Philippe Brucker
2021-03-22 14:16     ` Michael S. Tsirkin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.