Re: PCI devices passthrough on Arm design proposal

Re: PCI devices passthrough on Arm design proposal

[Rahul Singh]

On 17/07/2020, 8:42 am, "Oleksandr Andrushchenko" <Oleksandr_Andrushchenko@epam.com> wrote:


    On 7/17/20 9:53 AM, Bertrand Marquis wrote:
    >
    >> On 16 Jul 2020, at 22:51, Stefano Stabellini <sstabellini@kernel.org> wrote:
    >>
    >> On Thu, 16 Jul 2020, Rahul Singh wrote:
    >>> Hello All,
    >>>
    >>> Following up on discussion on PCI Passthrough support on ARM that we had at the XEN summit, we are submitting a Review For Comment and a design proposal for PCI passthrough support on ARM. Feel free to give your feedback.
    >>>
    >>> The followings describe the high-level design proposal of the PCI passthrough support and how the different modules within the system interacts with each other to assign a particular PCI device to the guest.
    >> I think the proposal is good and I only have a couple of thoughts to
    >> share below.
    >>
    >>
    >>> # Title:
    >>>
    >>> PCI devices passthrough on Arm design proposal
    >>>
    >>> # Problem statement:
    >>>
    >>> On ARM there in no support to assign a PCI device to a guest. PCI device passthrough capability allows guests to have full access to some PCI devices. PCI device passthrough allows PCI devices to appear and behave as if they were physically attached to the guest operating system and provide full isolation of the PCI devices.
    >>>
    >>> Goal of this work is to also support Dom0Less configuration so the PCI backend/frontend drivers used on x86 shall not be used on Arm. It will use the existing VPCI concept from X86 and implement the virtual PCI bus through IO emulation​ such that only assigned devices are visible​ to the guest and guest can use the standard PCI driver.
    >>>
    >>> Only Dom0 and Xen will have access to the real PCI bus,

    So, in this case how is the access serialization going to work?

    I mean that if both Xen and Dom0 are about to access the bus at the same time?

    There was a discussion on the same before [1] and IMO it was not decided on

    how to deal with that.

DOM0 also access the real PCI hardware via MMIO config space trap in XEN. We will take care of config  space access serialization in XEN.

    >>> ​ guest will have a direct access to the assigned device itself​. IOMEM memory will be mapped to the guest ​and interrupt will be redirected to the guest. SMMU has to be configured correctly to have DMA transaction.
    >>>
    >>> ## Current state: Draft version
    >>>
    >>> # Proposer(s): Rahul Singh, Bertrand Marquis
    >>>
    >>> # Proposal:
    >>>
    >>> This section will describe the different subsystem to support the PCI device passthrough and how these subsystems interact with each other to assign a device to the guest.
    >>>
    >>> # PCI Terminology:
    >>>
    >>> Host Bridge: Host bridge allows the PCI devices to talk to the rest of the computer.
    >>> ECAM: ECAM (Enhanced Configuration Access Mechanism) is a mechanism developed to allow PCIe to access configuration space. The space available per function is 4KB.
    >>>
    >>> # Discovering PCI Host Bridge in XEN:
    >>>
    >>> In order to support the PCI passthrough XEN should be aware of all the PCI host bridges available on the system and should be able to access the PCI configuration space. ECAM configuration access is supported as of now. XEN during boot will read the PCI device tree node “reg” property and will map the ECAM space to the XEN memory using the “ioremap_nocache ()” function.
    >>>
    >>> If there are more than one segment on the system, XEN will read the “linux, pci-domain” property from the device tree node and configure  the host bridge segment number accordingly. All the PCI device tree nodes should have the “linux,pci-domain” property so that there will be no conflicts. During hardware domain boot Linux will also use the same “linux,pci-domain” property and assign the domain number to the host bridge.
    >>>
    >>> When Dom0 tries to access the PCI config space of the device, XEN will find the corresponding host bridge based on segment number and access the corresponding config space assigned to that bridge.
    >>>
    >>> Limitation:
    >>> * Only PCI ECAM configuration space access is supported.

    This is really the limitation which we have to think of now as there are lots of

    HW w/o ECAM support and not providing a way to use PCI(e) on those boards

    would render them useless wrt PCI. I don't suggest to have some real code for

    that, but I would suggest we design some interfaces from day 0.

    At the same time I do understand that supporting non-ECAM bridges is a pain

Adding any type of host bridge is supported, we did put the ECAM specific code in an identified source file so that other types can be implemented. As of now we have implemented the ECAM support and we are implementing right now support for N1SDP which requires specific quirks which will be done in a separate source file.

    >>> * Device tree binding is supported as of now, ACPI is not supported.
    >>> * Need to port the PCI host bridge access code to XEN to access the configuration space (generic one works but lots of platforms will required some specific code or quirks).
    >>>
    >>> # Discovering PCI devices:
    >>>
    >>> PCI-PCIe enumeration is a process of detecting devices connected to its host. It is the responsibility of the hardware domain or boot firmware to do the PCI enumeration and configure
    Great, so we assume here that the bootloader can do the enumeration and configuration...
    >>>   the BAR, PCI capabilities, and MSI/MSI-X configuration.
    >>>
    >>> PCI-PCIe enumeration in XEN is not feasible for the configuration part as it would require a lot of code inside Xen which would require a lot of maintenance. Added to this many platforms require some quirks in that part of the PCI code which would greatly improve Xen complexity. Once hardware domain enumerates the device then it will communicate to XEN via the below hypercall.
    >>>
    >>> #define PHYSDEVOP_pci_device_add        25
    >>> struct physdev_pci_device_add {
    >>>     uint16_t seg;
    >>>     uint8_t bus;
    >>>     uint8_t devfn;
    >>>     uint32_t flags;
    >>>     struct {
    >>>     	uint8_t bus;
    >>>     	uint8_t devfn;
    >>>     } physfn;
    >>>     /*
    >>>     * Optional parameters array.
    >>>     * First element ([0]) is PXM domain associated with the device (if * XEN_PCI_DEV_PXM is set)
    >>>     */
    >>>     uint32_t optarr[XEN_FLEX_ARRAY_DIM];
    >>>     };
    >>>
    >>> As the hypercall argument has the PCI segment number, XEN will access the PCI config space based on this segment number and find the host-bridge corresponding to this segment number. At this stage host bridge is fully initialized so there will be no issue to access the config space.
    >>>
    >>> XEN will add the PCI devices in the linked list maintain in XEN using the function pci_add_device(). XEN will be aware of all the PCI devices on the system and all the device will be added to the hardware domain.
    >>>
    >>> Limitations:
    >>> * When PCI devices are added to XEN, MSI capability is not initialized inside XEN and not supported as of now.
    >>> * ACS capability is disable for ARM as of now as after enabling it devices are not accessible.
    >>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
    >> I think it is fine to assume that for dom0less the "firmware" has taken
    >> care of setting up the BARs correctly. Starting with that assumption, it
    >> looks like it should be "easy" to walk the PCI topology in Xen when/if
    >> there is no dom0?
    > Yes as we discussed during the design session, we currently think that it is the way to go.
    > We are for now relying on Dom0 to get the list of PCI devices but this is definitely the strategy we would like to use to have Dom0 support.
    > If this is working well, I even think we could get rid of the hypercall all together.
    ...and this is the same way of configuring if enumeration happens in the bootloader?

    I do support the idea we go away from PHYSDEVOP_pci_device_add, but driver domain

    just signals Xen that the enumeration is done and Xen can traverse the bus by that time.

    Please also note, that there are actually 3 cases possible wrt where the enumeration and

    configuration happens: boot firmware, Dom0, Xen. So, it seems we

    are going to have different approaches for the first two (see my comment above on

    the hypercall use in Dom0). So, walking the bus ourselves in Xen seems to be good for all

    the use-cases above

In that case we may have to implement a new hyper call to inform XEN that enumeration is complete and now scan the devices. We could tell Xen to delay its enumeration until this hyper call is called using a xen command line parameter. This way when this is not required because the firmware did the enumeration, we can properly support Dom0Less.

    >
    >
    >>
    >>> # Enable the existing x86 virtual PCI support for ARM:
    >>>
    >>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
    >>>
    >>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
    Just to make it clear: Dom0 still access the bus directly w/o emulation, right?
    >>>
    >>> Limitation:
    >>> * No handler is register for the MSI configuration.
    >>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
    >>>
    >>> # Assign the device to the guest:
    >>>
    >>> Assign the PCI device from the hardware domain to the guest is done using the below guest config option. When xl tool create the domain, PCI devices will be assigned to the guest VPCI bus.
    >>> 	pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
    >>>
    >>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
    Does this mean that we do not need to configure the bridges as those are exposed to the guest implicitly?
    >>>
    >>> Limitation:
    >>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.

    So, what happens if a guest tries to access the bridge that doesn't have the assigned

    PCI device? E.g. we pass PCIe_dev0 which is behind Bridge0 and the guest also sees

    Bridge1 and tries to access devices behind it during the enumeration.

    Could you please clarify?

The bridges are only accessible in read-only and cannot be modified. Even though a guest would see the bridge, the VPCI will only show the assigned devices behind it. If there is no device behind that bridge assigned to the guest, the guest will see an empty bus behind that bridge

    >> We need to come up with something similar for dom0less too. It could be
    >> exactly the same thing (a list of BDFs as strings as a device tree
    >> property) or something else if we can come up with a better idea.
    > Fully agree.
    > Maybe a tree topology could allow more possibilities (like giving BAR values) in the future.
    >>
    >>> # Emulated PCI device tree node in libxl:
    >>>
    >>> Libxl is creating a virtual PCI device tree node in the device tree to enable the guest OS to discover the virtual PCI during guest boot. We introduced the new config option [vpci="pci_ecam"] for guests. When this config option is enabled in a guest configuration, a PCI device tree node will be created in the guest device tree.
    >>>
    >>> A new area has been reserved in the arm guest physical map at which the VPCI bus is declared in the device tree (reg and ranges parameters of the node). A trap handler for the PCI ECAM access from guest has been registered at the defined address and redirects requests to the VPCI driver in Xen.
    >>>
    >>> Limitation:
    >>> * Only one PCI device tree node is supported as of now.
    >> I think vpci="pci_ecam" should be optional: if pci=[ "PCI_SPEC_STRING",
    >> ...] is specififed, then vpci="pci_ecam" is implied.
    >>
    >> vpci="pci_ecam" is only useful one day in the future when we want to be
    >> able to emulate other non-ecam host bridges. For now we could even skip
    >> it.
    > This would create a problem if xl is used to add a PCI device as we need the PCI node to be in the DTB when the guest is created.
    > I agree this is not needed but removing it might create more complexity in the code.

    I would suggest we have it from day 0 as there are plenty of HW available which is not ECAM.

    Having vpci allows other bridges to be supported

Yes we agree. We will take care of that.

    >
    > Bertrand
    >
    >>
    >>> BAR value and IOMEM mapping:
    >>>
    >>> Linux guest will do the PCI enumeration based on the area reserved for ECAM and IOMEM ranges in the VPCI device tree node. Once PCI	device is assigned to the guest, XEN will map the guest PCI IOMEM region to the real physical IOMEM region only for the assigned devices.
    >>>
    >>> As of now we have not modified the existing VPCI code to map the guest PCI IOMEM region to the real physical IOMEM region. We used the existing guest “iomem” config option to map the region.
    >>> For example:
    >>> 	Guest reserved IOMEM region:  0x04020000
    >>>     	Real physical IOMEM region:0x50000000
    >>>     	IOMEM size:128MB
    >>>     	iomem config will be:   iomem = ["0x50000,0x8000@0x4020"]
    >>>
    >>> There is no need to map the ECAM space as XEN already have access to the ECAM space and XEN will trap ECAM accesses from the guest and will perform read/write on the VPCI bus.
    >>>
    >>> IOMEM access will not be trapped and the guest will directly access the IOMEM region of the assigned device via stage-2 translation.
    >>>
    >>> In the same, we mapped the assigned devices IRQ to the guest using below config options.
    >>> 	irqs= [ NUMBER, NUMBER, ...]
    >>>
    >>> Limitation:
    >>> * Need to avoid the “iomem” and “irq” guest config options and map the IOMEM region and IRQ at the same time when device is assigned to the guest using the “pci” guest config options when xl creates the domain.
    >>> * Emulated BAR values on the VPCI bus should reflect the IOMEM mapped address.
    >>> * X86 mapping code should be ported on Arm so that the stage-2 translation is adapted when the guest is doing a modification of the BAR registers values (to map the address requested by the guest for a specific IOMEM to the address actually contained in the real BAR register of the corresponding device).
    >>>
    >>> # SMMU configuration for guest:
    >>>
    >>> When assigning PCI devices to a guest, the SMMU configuration should be updated to remove access to the hardware domain memory

    So, as the hardware domain still has access to the PCI configuration space, we

    can potentially have a condition when Dom0 accesses the device. AFAIU, if we have

    pci front/back then before assigning the device to the guest we unbind it from the

    real driver and bind to the back. Are we going to do something similar here?

Yes we have to unbind the driver from the hardware domain before assigning the device to the guest. Also as soon as Xen has done his PCI enumeration (either on boot or after an hypercall from the hardware domain), only Xen will access the physical PCI bus, everybody else will go through VPCI.


    Thank you,

    Oleksandr

    >>>   and add
    >>> configuration to have access to the guest memory with the proper address translation so that the device can do DMA operations from and to the guest memory only.
    >>>
    >>> # MSI/MSI-X support:
    >>> Not implement and tested as of now.
    >>>
    >>> # ITS support:
    >>> Not implement and tested as of now.
    [1] https://lists.xen.org/archives/html/xen-devel/2017-05/msg02674.html

Re: PCI devices passthrough on Arm design proposal

[Rahul Singh]

> On 18 Jul 2020, at 12:14 pm, Julien Grall <julien@xen.org> wrote:
> 
> 
> 
> On 18/07/2020 10:55, Bertrand Marquis wrote:
>>> On 17 Jul 2020, at 18:05, Roger Pau Monné <roger.pau@citrix.com> wrote:
>>> 
>>> On Fri, Jul 17, 2020 at 03:47:25PM +0000, Bertrand Marquis wrote:
>>>>> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
>>>>> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>>>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>>>>>>>> 
>>>>>>>>> # Enable the existing x86 virtual PCI support for ARM:
>>>>>>>>> 
>>>>>>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>>>>>>>> 
>>>>>>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>>>>>>>> 
>>>>>>>>> Limitation:
>>>>>>>>> * No handler is register for the MSI configuration.
>>>>>>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>>>>>>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
>>>>>> We plan to fix this by adding proper support for MSI in the long term.
>>>>>> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.
>>>>> 
>>>>> Sharing interrupts are a bit pain because you couldn't take advantage of the direct EOI in HW and have to be careful if one guest doesn't EOI in timely maneer.
>>>>> 
>>>>> This is something I would rather avoid unless there is a real use case for it.
>>>> 
>>>> I would expect that most recent hardware will support MSI and this
>>>> will not be needed.
>>> 
>>> Well, PCI Express mandates MSI support, so while this is just a spec,
>>> I would expect most (if not all) devices to support MSI (or MSI-X), as
>>> Arm platforms haven't implemented legacy PCI anyway.
>> Yes that’s our assumption to. But we have to start somewhere so MSI is
>> planned but in a future step. I would think that supporting non MSI if not
>> impossible will be a lot more complex due to the interrupt sharing.
>> I do think that not supporting non MSI should be ok on Arm.
>>> 
>>>> When MSI is not used, the only solution would be to enforce that
>>>> devices assigned to different guest are using different interrupts
>>>> which would limit the number of domains being able to use PCI
>>>> devices on a bus to 4 (if the enumeration can be modified correctly
>>>> to assign the interrupts properly).
>>>> 
>>>> If we all agree that this is an acceptable limitation then we would
>>>> not need the “interrupt sharing”.
>>> 
>>> I might be easier to start by just supporting devices that have MSI
>>> (or MSI-X) and then move to legacy interrupts if required?
>> MSI support requires also some support in the interrupt controller part
>> on arm. So there is some work to achieve that.
>>> 
>>> You should have most of the pieces you require already implemented
>>> since that's what x86 uses, and hence could reuse almost all of it?
>> Inside PCI probably but the GIC part will require some work.
> 
> We already have an ITS implementation in Xen. This is required in order to use PCI devices in DOM0 on thunder-x (there is no legacy interrupts supported).
> 
> It wasn't yet exposed to the guest because we didn't fully investigate the security aspect of the implementation. However, for a tech preview this should be sufficient.
> 

Ok We will have a look for the ITS implementation once we will start working on the MSI support. Thanks for the pointer.
> 
> -- 
> Julien Grall
> 

Re: PCI devices passthrough on Arm design proposal

[Rahul Singh]

> On 18 Jul 2020, at 12:08 pm, Julien Grall <julien@xen.org> wrote:
> 
> Hi,
> 
> On 17/07/2020 16:47, Bertrand Marquis wrote:
>>> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
>>> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>>>>     pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>>>>>> 
>>>>>>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
>>>>>>> 
>>>>>>> Limitation:
>>>>>>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.
>>>>>> Why do you want to expose all the bridges to a guest? Does this mean that the BDF should always match between the host and the guest?
>>>> That’s not really something that we wanted but this was the easiest way to go.
>>>> As said in a previous mail we could build a VPCI bus with a completely different topology but I am not sure of the advantages this would have.
>>>> Do you see some reason to do this ?
>>> 
>>> Yes :):
>>>  1) If a platform has two host controllers (IIRC Thunder-X has it) then you would need to expose two host controllers to your guest. I think this is undesirable if your guest is only using a couple of PCI devices on each host controllers.
>>>  2) In the case of migration (live or not), you may want to use a difference PCI card on the target platform. So your BDF and bridges may be different.
>>> 
>>> Therefore I think the virtual topology can be beneficial.
>> I would see a big advantage definitely to have only one VPCI bus per guest and put all devices in their independently of the hardware domain the device is on.
>> But this will probably make the VPCI BARs value computation a bit more complex as we might end up with no space on the guest physical map for it.
>> This might make the implementation a lot more complex.
> 
> I am not sure to understand your argument about the space... You should be able to find out the size of each BARs, so you can size the MMIO window correctly. This shouldn't add a lot of complexity.
> 
> I am not asking any implementation for this, but we need to make sure the design can easily be extended for other use cases. In the case of server, we will likely want to expose a single vPCI to the guest.

This is something we have to work on how to implement the virtual topology for the guest. 

> 
>>> 
>>>>>>    - Is there any memory access that can bypassed the IOMMU (e.g doorbell)?
>>>> This is still something to be investigated as part of the MSI implementation.
>>>> If you have any idea here, feel free to tell us.
>>> 
>>> My memory is a bit fuzzy here. I am sure that the doorbell can bypass the IOMMU on some platform, but I also vaguely remember that accesses to the PCI host controller memory window may also bypass the IOMMU. A good reading might be [2].
>>> 
>>> IIRC, I came to the conclusion that we may want to use the host memory map in the guest when using the PCI passthrough. But maybe not on all the platforms.
>> Definitely a lot of this would be easier if could use 1:1 mapping.
>> We will keep that in mind when we will start to investigate on the MSI part.
> 
> Hmmm... Maybe I wasn't clear enough but the problem is not only happening with MSIs doorbells. It is also with the P2P transactions.
> 
> Again, I am not asking to implement it at the beginning. However, it would be good to outline the potential limitations of the approach in your design.

As Bertrand mention once we start investigating on the MSI support we will have this in mind to proceed.
> 
> Cheers,
> 
> 
> -- 
> Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

Hi,

On 17/07/2020 17:05, Roger Pau Monné wrote:
> IIRC Julien even said that Arm was likely to require much less traps
> than x86 for accesses to MSI and MSI-X since you could allow untrusted
> guests to write directly to the registers as there's another piece of
> hardware that would already translate the interrupts?

This is correct in the case of the ITS. This is because the hardware 
will tag the message with the deviceÌD. So there is no way to spoof it.

However, this may not be the case of other MSI controllers. For 
instance, in the case of the GICv2m, I think we will need to trap and 
sanitize the MSI message (see [1]).

[1] https://www.linaro.org/blog/kvm-pciemsi-passthrough-armarm64/

-- 
Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

On 18/07/2020 10:55, Bertrand Marquis wrote:
> 
> 
>> On 17 Jul 2020, at 18:05, Roger Pau Monné <roger.pau@citrix.com> wrote:
>>
>> On Fri, Jul 17, 2020 at 03:47:25PM +0000, Bertrand Marquis wrote:
>>>> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
>>>> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>>>>>>>
>>>>>>>> # Enable the existing x86 virtual PCI support for ARM:
>>>>>>>>
>>>>>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>>>>>>>
>>>>>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>>>>>>>
>>>>>>>> Limitation:
>>>>>>>> * No handler is register for the MSI configuration.
>>>>>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>>>>>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
>>>>> We plan to fix this by adding proper support for MSI in the long term.
>>>>> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.
>>>>
>>>> Sharing interrupts are a bit pain because you couldn't take advantage of the direct EOI in HW and have to be careful if one guest doesn't EOI in timely maneer.
>>>>
>>>> This is something I would rather avoid unless there is a real use case for it.
>>>
>>> I would expect that most recent hardware will support MSI and this
>>> will not be needed.
>>
>> Well, PCI Express mandates MSI support, so while this is just a spec,
>> I would expect most (if not all) devices to support MSI (or MSI-X), as
>> Arm platforms haven't implemented legacy PCI anyway.
> 
> Yes that’s our assumption to. But we have to start somewhere so MSI is
> planned but in a future step. I would think that supporting non MSI if not
> impossible will be a lot more complex due to the interrupt sharing.
> I do think that not supporting non MSI should be ok on Arm.
> 
>>
>>> When MSI is not used, the only solution would be to enforce that
>>> devices assigned to different guest are using different interrupts
>>> which would limit the number of domains being able to use PCI
>>> devices on a bus to 4 (if the enumeration can be modified correctly
>>> to assign the interrupts properly).
>>>
>>> If we all agree that this is an acceptable limitation then we would
>>> not need the “interrupt sharing”.
>>
>> I might be easier to start by just supporting devices that have MSI
>> (or MSI-X) and then move to legacy interrupts if required?
> 
> MSI support requires also some support in the interrupt controller part
> on arm. So there is some work to achieve that.
> 
>>
>> You should have most of the pieces you require already implemented
>> since that's what x86 uses, and hence could reuse almost all of it?
> 
> Inside PCI probably but the GIC part will require some work.

We already have an ITS implementation in Xen. This is required in order 
to use PCI devices in DOM0 on thunder-x (there is no legacy interrupts 
supported).

It wasn't yet exposed to the guest because we didn't fully investigate 
the security aspect of the implementation. However, for a tech preview 
this should be sufficient.


-- 
Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

Hi,

On 17/07/2020 16:47, Bertrand Marquis wrote:
>> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
>> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>>>      pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>>>>>
>>>>>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
>>>>>>
>>>>>> Limitation:
>>>>>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.
>>>>> Why do you want to expose all the bridges to a guest? Does this mean that the BDF should always match between the host and the guest?
>>> That’s not really something that we wanted but this was the easiest way to go.
>>> As said in a previous mail we could build a VPCI bus with a completely different topology but I am not sure of the advantages this would have.
>>> Do you see some reason to do this ?
>>
>> Yes :):
>>   1) If a platform has two host controllers (IIRC Thunder-X has it) then you would need to expose two host controllers to your guest. I think this is undesirable if your guest is only using a couple of PCI devices on each host controllers.
>>   2) In the case of migration (live or not), you may want to use a difference PCI card on the target platform. So your BDF and bridges may be different.
>>
>> Therefore I think the virtual topology can be beneficial.
> 
> I would see a big advantage definitely to have only one VPCI bus per guest and put all devices in their independently of the hardware domain the device is on.
> But this will probably make the VPCI BARs value computation a bit more complex as we might end up with no space on the guest physical map for it.
> This might make the implementation a lot more complex.

I am not sure to understand your argument about the space... You should 
be able to find out the size of each BARs, so you can size the MMIO 
window correctly. This shouldn't add a lot of complexity.

I am not asking any implementation for this, but we need to make sure 
the design can easily be extended for other use cases. In the case of 
server, we will likely want to expose a single vPCI to the guest.

>>
>>>>>     - Is there any memory access that can bypassed the IOMMU (e.g doorbell)?
>>> This is still something to be investigated as part of the MSI implementation.
>>> If you have any idea here, feel free to tell us.
>>
>> My memory is a bit fuzzy here. I am sure that the doorbell can bypass the IOMMU on some platform, but I also vaguely remember that accesses to the PCI host controller memory window may also bypass the IOMMU. A good reading might be [2].
>>
>> IIRC, I came to the conclusion that we may want to use the host memory map in the guest when using the PCI passthrough. But maybe not on all the platforms.
> 
> Definitely a lot of this would be easier if could use 1:1 mapping.
> We will keep that in mind when we will start to investigate on the MSI part.

Hmmm... Maybe I wasn't clear enough but the problem is not only 
happening with MSIs doorbells. It is also with the P2P transactions.

Again, I am not asking to implement it at the beginning. However, it 
would be good to outline the potential limitations of the approach in 
your design.

Cheers,


-- 
Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Bertrand Marquis]

> On 17 Jul 2020, at 18:05, Roger Pau Monné <roger.pau@citrix.com> wrote:
> 
> On Fri, Jul 17, 2020 at 03:47:25PM +0000, Bertrand Marquis wrote:
>>> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
>>> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>>>>>> 
>>>>>>> # Enable the existing x86 virtual PCI support for ARM:
>>>>>>> 
>>>>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>>>>>> 
>>>>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>>>>>> 
>>>>>>> Limitation:
>>>>>>> * No handler is register for the MSI configuration.
>>>>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>>>>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
>>>> We plan to fix this by adding proper support for MSI in the long term.
>>>> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.
>>> 
>>> Sharing interrupts are a bit pain because you couldn't take advantage of the direct EOI in HW and have to be careful if one guest doesn't EOI in timely maneer.
>>> 
>>> This is something I would rather avoid unless there is a real use case for it.
>> 
>> I would expect that most recent hardware will support MSI and this
>> will not be needed.
> 
> Well, PCI Express mandates MSI support, so while this is just a spec,
> I would expect most (if not all) devices to support MSI (or MSI-X), as
> Arm platforms haven't implemented legacy PCI anyway.

Yes that’s our assumption to. But we have to start somewhere so MSI is
planned but in a future step. I would think that supporting non MSI if not
impossible will be a lot more complex due to the interrupt sharing.
I do think that not supporting non MSI should be ok on Arm.

> 
>> When MSI is not used, the only solution would be to enforce that
>> devices assigned to different guest are using different interrupts
>> which would limit the number of domains being able to use PCI
>> devices on a bus to 4 (if the enumeration can be modified correctly
>> to assign the interrupts properly).
>> 
>> If we all agree that this is an acceptable limitation then we would
>> not need the “interrupt sharing”.
> 
> I might be easier to start by just supporting devices that have MSI
> (or MSI-X) and then move to legacy interrupts if required?

MSI support requires also some support in the interrupt controller part
on arm. So there is some work to achieve that.

> 
> You should have most of the pieces you require already implemented
> since that's what x86 uses, and hence could reuse almost all of it?

Inside PCI probably but the GIC part will require some work.

> 
> IIRC Julien even said that Arm was likely to require much less traps
> than x86 for accesses to MSI and MSI-X since you could allow untrusted
> guests to write directly to the registers as there's another piece of
> hardware that would already translate the interrupts?

Yes this is definitely the case. The ITS part of the GIC interrupt controller
will help a lot and reduce the number of traps.

> 
> I think it's fine to use this workaround while you don't have MSI
> support in order to start testing and upstreaming stuff, but maybe
> that shouldn't be committed?

That was definitely not our plan to commit the code without MSI.
But as requested during the Xen Summit, we try to publish some code
for an RFC and a design early to get comment from the community and
we try to do that with something working, even partially and with lots of
limitations.

Bertrand

Re: PCI devices passthrough on Arm design proposal

[Roger Pau Monné]

On Fri, Jul 17, 2020 at 03:47:25PM +0000, Bertrand Marquis wrote:
> > On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
> > On 17/07/2020 15:47, Bertrand Marquis wrote:
> >>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
> >>>>> 
> >>>>> # Enable the existing x86 virtual PCI support for ARM:
> >>>>> 
> >>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
> >>>>> 
> >>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
> >>>>> 
> >>>>> Limitation:
> >>>>> * No handler is register for the MSI configuration.
> >>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
> >>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
> >> We plan to fix this by adding proper support for MSI in the long term.
> >> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.
> > 
> > Sharing interrupts are a bit pain because you couldn't take advantage of the direct EOI in HW and have to be careful if one guest doesn't EOI in timely maneer.
> > 
> > This is something I would rather avoid unless there is a real use case for it.
> 
> I would expect that most recent hardware will support MSI and this
> will not be needed.

Well, PCI Express mandates MSI support, so while this is just a spec,
I would expect most (if not all) devices to support MSI (or MSI-X), as
Arm platforms haven't implemented legacy PCI anyway.

> When MSI is not used, the only solution would be to enforce that
> devices assigned to different guest are using different interrupts
> which would limit the number of domains being able to use PCI
> devices on a bus to 4 (if the enumeration can be modified correctly
> to assign the interrupts properly).
> 
> If we all agree that this is an acceptable limitation then we would
> not need the “interrupt sharing”.

I might be easier to start by just supporting devices that have MSI
(or MSI-X) and then move to legacy interrupts if required?

You should have most of the pieces you require already implemented
since that's what x86 uses, and hence could reuse almost all of it?

IIRC Julien even said that Arm was likely to require much less traps
than x86 for accesses to MSI and MSI-X since you could allow untrusted
guests to write directly to the registers as there's another piece of
hardware that would already translate the interrupts?

I think it's fine to use this workaround while you don't have MSI
support in order to start testing and upstreaming stuff, but maybe
that shouldn't be committed?

Roger.

Re: PCI devices passthrough on Arm design proposal

[Bertrand Marquis]

> On 17 Jul 2020, at 17:26, Julien Grall <julien@xen.org> wrote:
> 
> 
> 
> On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>>> # Title:
>>>>> 
>>>>> PCI devices passthrough on Arm design proposal
>>>>> 
>>>>> # Problem statement:
>>>>> 
>>>>> On ARM there in no support to assign a PCI device to a guest. PCI device passthrough capability allows guests to have full access to some PCI devices. PCI device passthrough allows PCI devices to appear and behave as if they were physically attached to the guest operating system and provide full isolation of the PCI devices.
>>>>> 
>>>>> Goal of this work is to also support Dom0Less configuration so the PCI backend/frontend drivers used on x86 shall not be used on Arm. It will use the existing VPCI concept from X86 and implement the virtual PCI bus through IO emulation​ such that only assigned devices are visible​ to the guest and guest can use the standard PCI driver.
>>>>> 
>>>>> Only Dom0 and Xen will have access to the real PCI bus,​ guest will have a direct access to the assigned device itself​. IOMEM memory will be mapped to the guest ​and interrupt will be redirected to the guest. SMMU has to be configured correctly to have DMA transaction.
>>>>> 
>>>>> ## Current state: Draft version
>>>>> 
>>>>> # Proposer(s): Rahul Singh, Bertrand Marquis
>>>>> 
>>>>> # Proposal:
>>>>> 
>>>>> This section will describe the different subsystem to support the PCI device passthrough and how these subsystems interact with each other to assign a device to the guest.
>>>>> 
>>>>> # PCI Terminology:
>>>>> 
>>>>> Host Bridge: Host bridge allows the PCI devices to talk to the rest of the computer.
>>>>> ECAM: ECAM (Enhanced Configuration Access Mechanism) is a mechanism developed to allow PCIe to access configuration space. The space available per function is 4KB.
>>>>> 
>>>>> # Discovering PCI Host Bridge in XEN:
>>>>> 
>>>>> In order to support the PCI passthrough XEN should be aware of all the PCI host bridges available on the system and should be able to access the PCI configuration space. ECAM configuration access is supported as of now. XEN during boot will read the PCI device tree node “reg” property and will map the ECAM space to the XEN memory using the “ioremap_nocache ()” function.
>>>>> 
>>>>> If there are more than one segment on the system, XEN will read the “linux, pci-domain” property from the device tree node and configure  the host bridge segment number accordingly. All the PCI device tree nodes should have the “linux,pci-domain” property so that there will be no conflicts. During hardware domain boot Linux will also use the same “linux,pci-domain” property and assign the domain number to the host bridge.
>>>> AFAICT, "linux,pci-domain" is not a mandatory option and mostly tie to Linux. What would happen with other OS?
>>>> But I would rather avoid trying to mandate a user to modifying his/her device-tree in order to support PCI passthrough. It would be better to consider Xen to assign the number if it is not present.
>> so you would suggest here that if this entry is not present in the configuration, we just assign a value inside xen ? How should this information be passed to the guest ?
>> This number is required for the current hypercall to declare devices to xen so those could end up being different.
> 
> I am guessing you mean passing to the hardware domain? If so, Xen is already rewriting the device-tree for the hardware domain. So it would be easy to add more property.

True this can be done :-)
We will add this to the design.

> 
> Now the question is whether other OSes are using "linux,pci-domain". I would suggest to have a look at a *BSD to see how they deal with PCI controllers.

Good idea, we will check how BSD is using the hypercall to declare PCI devices and what value is used there for the domain id.

> 
>>>>> 
>>>>> When Dom0 tries to access the PCI config space of the device, XEN will find the corresponding host bridge based on segment number and access the corresponding config space assigned to that bridge.
>>>>> 
>>>>> Limitation:
>>>>> * Only PCI ECAM configuration space access is supported.
>>>>> * Device tree binding is supported as of now, ACPI is not supported.
>>>> We want to differentiate the high-level design from the actual implementation. While you may not yet implement ACPI, we still need to keep it in mind to avoid incompatibilities in long term.
>> For sure we do not want to make anything which would not be possible to implement with ACPI.
>> I hope the community will help us during review to find those possible problems if we do not see them.
> 
> Have a look at the design document I pointed out in my previous answer. It should contain a lot of information already for ACPI :).

Thanks for the pointer, we will go through that

> 
>>>>> * Need to port the PCI host bridge access code to XEN to access the configuration space (generic one works but lots of platforms will required  some specific code or quirks).
>>>>> 
>>>>> # Discovering PCI devices:
>>>>> 
>>>>> PCI-PCIe enumeration is a process of detecting devices connected to its host. It is the responsibility of the hardware domain or boot firmware to do the PCI enumeration and configure the BAR, PCI capabilities, and MSI/MSI-X configuration.
>>>>> 
>>>>> PCI-PCIe enumeration in XEN is not feasible for the configuration part as it would require a lot of code inside Xen which would require a lot of maintenance. Added to this many platforms require some quirks in that part of the PCI code which would greatly improve Xen complexity. Once hardware domain enumerates the device then it will communicate to XEN via the below hypercall.
>>>>> 
>>>>> #define PHYSDEVOP_pci_device_add        25
>>>>> struct physdev_pci_device_add {
>>>>>      uint16_t seg;
>>>>>      uint8_t bus;
>>>>>      uint8_t devfn;
>>>>>      uint32_t flags;
>>>>>      struct {
>>>>>          uint8_t bus;
>>>>>          uint8_t devfn;
>>>>>      } physfn;
>>>>>      /*
>>>>>      * Optional parameters array.
>>>>>      * First element ([0]) is PXM domain associated with the device (if * XEN_PCI_DEV_PXM is set)
>>>>>      */
>>>>>      uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>>>>      };
>>>>> 
>>>>> As the hypercall argument has the PCI segment number, XEN will access the PCI config space based on this segment number and find the host-bridge corresponding to this segment number. At this stage host bridge is fully initialized so there will be no issue to access the config space.
>>>>> 
>>>>> XEN will add the PCI devices in the linked list maintain in XEN using the function pci_add_device(). XEN will be aware of all the PCI devices on the system and all the device will be added to the hardware domain.
>>>> I understand this what x86 does. However, may I ask why we would want it for Arm?
>> We wanted to be as near as possible from x86 implementation and design.
>> But if you have an other idea here we are fully open to discuss it.
> 
> In the case of platform device passthrough, we are leaving the device unassigned when not using by a guest. This makes sure the device can't do any harm if somehow it wasn't reset correctly.
> 
> I would prefer to consider the same approach for PCI devices if there is no plan to use it in dom0. Although, we need to figure out how PCI devices will be reset.

Definitely we cannot rely on a guest to reset the device properly if it is killed and I doubt there is a “standard” way to do a reset of a PCI device that works all the time.
So I agree that leaving it unassigned is better and more secure.
We will modify our design accordingly.

> 
>>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>>>> 
>>>>> # Enable the existing x86 virtual PCI support for ARM:
>>>>> 
>>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>>>> 
>>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>>>> 
>>>>> Limitation:
>>>>> * No handler is register for the MSI configuration.
>>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
>> We plan to fix this by adding proper support for MSI in the long term.
>> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.
> 
> Sharing interrupts are a bit pain because you couldn't take advantage of the direct EOI in HW and have to be careful if one guest doesn't EOI in timely maneer.
> 
> This is something I would rather avoid unless there is a real use case for it.

I would expect that most recent hardware will support MSI and this will not be needed.
When MSI is not used, the only solution would be to enforce that devices assigned to different guest are using different interrupts which would limit the number of domains being able to use PCI devices on a bus to 4 (if the enumeration can be modified correctly to assign the interrupts properly).
If we all agree that this is an acceptable limitation then we would not need the “interrupt sharing”.

> 
>>>>> 
>>>>> # Assign the device to the guest:
>>>>> 
>>>>> Assign the PCI device from the hardware domain to the guest is done using the below guest config option. When xl tool create the domain, PCI devices will be assigned to the guest VPCI bus.
>>>> Above, you suggest that device will be assigned to the hardware domain at boot. I am assuming this also means that all the interrupts/MMIOs will be routed/mapped, is that correct?
>>>> If so, can you provide a rough sketch how assign/deassign will work?
>> Yes this is correct. We will improve the design and add a more detailed description on that in the next version.
>> To make it short we remove the resources from the hardware domain first and assign them to the guest the device has been assigned to. There are still some parts in there where we are still in investigation mode on that part.
> 
> Hmmm... Does this mean you modified the code to allow a interrupt to be removed while the domain is still running?

For now we are not doing this automatically so this is done by explicitely assigning an interrupt to the guest in the configuration of the guest.
So we did not modify the code for that so far as this is part of the implementation using workarounds right now.

> 
>>>>>     pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>>>> 
>>>>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
>>>>> 
>>>>> Limitation:
>>>>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.
>>>> Why do you want to expose all the bridges to a guest? Does this mean that the BDF should always match between the host and the guest?
>> That’s not really something that we wanted but this was the easiest way to go.
>> As said in a previous mail we could build a VPCI bus with a completely different topology but I am not sure of the advantages this would have.
>> Do you see some reason to do this ?
> 
> Yes :):
>  1) If a platform has two host controllers (IIRC Thunder-X has it) then you would need to expose two host controllers to your guest. I think this is undesirable if your guest is only using a couple of PCI devices on each host controllers.
>  2) In the case of migration (live or not), you may want to use a difference PCI card on the target platform. So your BDF and bridges may be different.
> 
> Therefore I think the virtual topology can be beneficial.

I would see a big advantage definitely to have only one VPCI bus per guest and put all devices in their independently of the hardware domain the device is on.
But this will probably make the VPCI BARs value computation a bit more complex as we might end up with no space on the guest physical map for it.
This might make the implementation a lot more complex.

> 
>>>>> 
>>>>> # Emulated PCI device tree node in libxl:
>>>>> 
>>>>> Libxl is creating a virtual PCI device tree node in the device tree to enable the guest OS to discover the virtual PCI during guest boot. We introduced the new config option [vpci="pci_ecam"] for guests. When this config option is enabled in a guest configuration, a PCI device tree node will be created in the guest device tree.
>>>>> 
>>>>> A new area has been reserved in the arm guest physical map at which the VPCI bus is declared in the device tree (reg and ranges parameters of the node). A trap handler for the PCI ECAM access from guest has been registered at the defined address and redirects requests to the VPCI driver in Xen.
>>>>> 
>>>>> Limitation:
>>>>> * Only one PCI device tree node is supported as of now.
>>>>> 
>>>>> BAR value and IOMEM mapping:
>>>>> 
>>>>> Linux guest will do the PCI enumeration based on the area reserved for ECAM and IOMEM ranges in the VPCI device tree node. Once PCI    device is assigned to the guest, XEN will map the guest PCI IOMEM region to the real physical IOMEM region only for the assigned devices.
>>>>> 
>>>>> As of now we have not modified the existing VPCI code to map the guest PCI IOMEM region to the real physical IOMEM region. We used the existing guest “iomem” config option to map the region.
>>>>> For example:
>>>>>     Guest reserved IOMEM region:  0x04020000
>>>>>          Real physical IOMEM region:0x50000000
>>>>>          IOMEM size:128MB
>>>>>          iomem config will be:   iomem = ["0x50000,0x8000@0x4020"]
>>>>> 
>>>>> There is no need to map the ECAM space as XEN already have access to the ECAM space and XEN will trap ECAM accesses from the guest and will perform read/write on the VPCI bus.
>>>>> 
>>>>> IOMEM access will not be trapped and the guest will directly access the IOMEM region of the assigned device via stage-2 translation.
>>>>> 
>>>>> In the same, we mapped the assigned devices IRQ to the guest using below config options.
>>>>>     irqs= [ NUMBER, NUMBER, ...]
>>>>> 
>>>>> Limitation:
>>>>> * Need to avoid the “iomem” and “irq” guest config options and map the IOMEM region and IRQ at the same time when device is assigned to the guest using the “pci” guest config options when xl creates the domain.
>>>>> * Emulated BAR values on the VPCI bus should reflect the IOMEM mapped address.
>>>>> * X86 mapping code should be ported on Arm so that the stage-2 translation is adapted when the guest is doing a modification of the BAR registers values (to map the address requested by the guest for a specific IOMEM to the address actually contained in the real BAR register of the corresponding device).
>>>>> 
>>>>> # SMMU configuration for guest:
>>>>> 
>>>>> When assigning PCI devices to a guest, the SMMU configuration should be updated to remove access to the hardware domain memory and add
>>>>> configuration to have access to the guest memory with the proper address translation so that the device can do DMA operations from and to the guest memory only.
>>>> There are a few more questions to answer here:
>>>>    - When a guest is destroyed, who will be the owner of the PCI devices? Depending on the answer, how do you make sure the device is quiescent?
>> I would say the hardware domain if there is one otherwise nobody.
> 
> This is risky, in particular if your device is not quiescent (e.g because the reset failed). This would mean your device may be able to rewrite part of Dom0.

Agree. We should not reassign the device to Dom0 and always let is unassigned.
We will modify the design accordingly

> 
>> On the quiescent part this is definitely something for which I have no answer for now and any suggestion is more then welcome.
> 
> Usually you will have to reset a device, but I am not sure this can always work properly. Hence, I think assigning the PCI devices to nobody would be more sensible. Note this is what XSA-306 aimed to do on x86 (not yet implemented on Arm).

Ack

> 
>>>>    - Is there any memory access that can bypassed the IOMMU (e.g doorbell)?
>> This is still something to be investigated as part of the MSI implementation.
>> If you have any idea here, feel free to tell us.
> 
> My memory is a bit fuzzy here. I am sure that the doorbell can bypass the IOMMU on some platform, but I also vaguely remember that accesses to the PCI host controller memory window may also bypass the IOMMU. A good reading might be [2].
> 
> IIRC, I came to the conclusion that we may want to use the host memory map in the guest when using the PCI passthrough. But maybe not on all the platforms.

Definitely a lot of this would be easier if could use 1:1 mapping.
We will keep that in mind when we will start to investigate on the MSI part.

Cheers
Bertrand

> 
> Cheers,
> 
>>>> [1] https://lists.xenproject.org/archives/html/xen-devel/2017-05/msg02520.html
> 
> [2] https://www.spinics.net/lists/kvm/msg140116.html
>>> 
>>> -- 
>>> Julien Grall
>>> 
> 
> -- 
> Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

On 17/07/2020 15:47, Bertrand Marquis wrote:
>>>> # Title:
>>>>
>>>> PCI devices passthrough on Arm design proposal
>>>>
>>>> # Problem statement:
>>>>
>>>> On ARM there in no support to assign a PCI device to a guest. PCI device passthrough capability allows guests to have full access to some PCI devices. PCI device passthrough allows PCI devices to appear and behave as if they were physically attached to the guest operating system and provide full isolation of the PCI devices.
>>>>
>>>> Goal of this work is to also support Dom0Less configuration so the PCI backend/frontend drivers used on x86 shall not be used on Arm. It will use the existing VPCI concept from X86 and implement the virtual PCI bus through IO emulation​ such that only assigned devices are visible​ to the guest and guest can use the standard PCI driver.
>>>>
>>>> Only Dom0 and Xen will have access to the real PCI bus,​ guest will have a direct access to the assigned device itself​. IOMEM memory will be mapped to the guest ​and interrupt will be redirected to the guest. SMMU has to be configured correctly to have DMA transaction.
>>>>
>>>> ## Current state: Draft version
>>>>
>>>> # Proposer(s): Rahul Singh, Bertrand Marquis
>>>>
>>>> # Proposal:
>>>>
>>>> This section will describe the different subsystem to support the PCI device passthrough and how these subsystems interact with each other to assign a device to the guest.
>>>>
>>>> # PCI Terminology:
>>>>
>>>> Host Bridge: Host bridge allows the PCI devices to talk to the rest of the computer.
>>>> ECAM: ECAM (Enhanced Configuration Access Mechanism) is a mechanism developed to allow PCIe to access configuration space. The space available per function is 4KB.
>>>>
>>>> # Discovering PCI Host Bridge in XEN:
>>>>
>>>> In order to support the PCI passthrough XEN should be aware of all the PCI host bridges available on the system and should be able to access the PCI configuration space. ECAM configuration access is supported as of now. XEN during boot will read the PCI device tree node “reg” property and will map the ECAM space to the XEN memory using the “ioremap_nocache ()” function.
>>>>
>>>> If there are more than one segment on the system, XEN will read the “linux, pci-domain” property from the device tree node and configure  the host bridge segment number accordingly. All the PCI device tree nodes should have the “linux,pci-domain” property so that there will be no conflicts. During hardware domain boot Linux will also use the same “linux,pci-domain” property and assign the domain number to the host bridge.
>>> AFAICT, "linux,pci-domain" is not a mandatory option and mostly tie to Linux. What would happen with other OS?
>>> But I would rather avoid trying to mandate a user to modifying his/her device-tree in order to support PCI passthrough. It would be better to consider Xen to assign the number if it is not present.
> 
> so you would suggest here that if this entry is not present in the configuration, we just assign a value inside xen ? How should this information be passed to the guest ?
> This number is required for the current hypercall to declare devices to xen so those could end up being different.

I am guessing you mean passing to the hardware domain? If so, Xen is 
already rewriting the device-tree for the hardware domain. So it would 
be easy to add more property.

Now the question is whether other OSes are using "linux,pci-domain". I 
would suggest to have a look at a *BSD to see how they deal with PCI 
controllers.

> 
>>>>
>>>> When Dom0 tries to access the PCI config space of the device, XEN will find the corresponding host bridge based on segment number and access the corresponding config space assigned to that bridge.
>>>>
>>>> Limitation:
>>>> * Only PCI ECAM configuration space access is supported.
>>>> * Device tree binding is supported as of now, ACPI is not supported.
>>> We want to differentiate the high-level design from the actual implementation. While you may not yet implement ACPI, we still need to keep it in mind to avoid incompatibilities in long term.
> 
> For sure we do not want to make anything which would not be possible to implement with ACPI.
> I hope the community will help us during review to find those possible problems if we do not see them.

Have a look at the design document I pointed out in my previous answer. 
It should contain a lot of information already for ACPI :).

> 
>>>> * Need to port the PCI host bridge access code to XEN to access the configuration space (generic one works but lots of platforms will required  some specific code or quirks).
>>>>
>>>> # Discovering PCI devices:
>>>>
>>>> PCI-PCIe enumeration is a process of detecting devices connected to its host. It is the responsibility of the hardware domain or boot firmware to do the PCI enumeration and configure the BAR, PCI capabilities, and MSI/MSI-X configuration.
>>>>
>>>> PCI-PCIe enumeration in XEN is not feasible for the configuration part as it would require a lot of code inside Xen which would require a lot of maintenance. Added to this many platforms require some quirks in that part of the PCI code which would greatly improve Xen complexity. Once hardware domain enumerates the device then it will communicate to XEN via the below hypercall.
>>>>
>>>> #define PHYSDEVOP_pci_device_add        25
>>>> struct physdev_pci_device_add {
>>>>       uint16_t seg;
>>>>       uint8_t bus;
>>>>       uint8_t devfn;
>>>>       uint32_t flags;
>>>>       struct {
>>>>           uint8_t bus;
>>>>           uint8_t devfn;
>>>>       } physfn;
>>>>       /*
>>>>       * Optional parameters array.
>>>>       * First element ([0]) is PXM domain associated with the device (if * XEN_PCI_DEV_PXM is set)
>>>>       */
>>>>       uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>>>       };
>>>>
>>>> As the hypercall argument has the PCI segment number, XEN will access the PCI config space based on this segment number and find the host-bridge corresponding to this segment number. At this stage host bridge is fully initialized so there will be no issue to access the config space.
>>>>
>>>> XEN will add the PCI devices in the linked list maintain in XEN using the function pci_add_device(). XEN will be aware of all the PCI devices on the system and all the device will be added to the hardware domain.
>>> I understand this what x86 does. However, may I ask why we would want it for Arm?
> 
> We wanted to be as near as possible from x86 implementation and design.
> But if you have an other idea here we are fully open to discuss it.

In the case of platform device passthrough, we are leaving the device 
unassigned when not using by a guest. This makes sure the device can't 
do any harm if somehow it wasn't reset correctly.

I would prefer to consider the same approach for PCI devices if there is 
no plan to use it in dom0. Although, we need to figure out how PCI 
devices will be reset.

>>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>>>
>>>> # Enable the existing x86 virtual PCI support for ARM:
>>>>
>>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>>>
>>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>>>
>>>> Limitation:
>>>> * No handler is register for the MSI configuration.
>>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?
> 
> We plan to fix this by adding proper support for MSI in the long term.
> For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.

Sharing interrupts are a bit pain because you couldn't take advantage of 
the direct EOI in HW and have to be careful if one guest doesn't EOI in 
timely maneer.

This is something I would rather avoid unless there is a real use case 
for it.

> 
>>>>
>>>> # Assign the device to the guest:
>>>>
>>>> Assign the PCI device from the hardware domain to the guest is done using the below guest config option. When xl tool create the domain, PCI devices will be assigned to the guest VPCI bus.
>>> Above, you suggest that device will be assigned to the hardware domain at boot. I am assuming this also means that all the interrupts/MMIOs will be routed/mapped, is that correct?
>>> If so, can you provide a rough sketch how assign/deassign will work?
> 
> Yes this is correct. We will improve the design and add a more detailed description on that in the next version.
> To make it short we remove the resources from the hardware domain first and assign them to the guest the device has been assigned to. There are still some parts in there where we are still in investigation mode on that part.

Hmmm... Does this mean you modified the code to allow a interrupt to be 
removed while the domain is still running?

> 
>>>>      pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>>>
>>>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
>>>>
>>>> Limitation:
>>>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.
>>> Why do you want to expose all the bridges to a guest? Does this mean that the BDF should always match between the host and the guest?
> 
> That’s not really something that we wanted but this was the easiest way to go.
> As said in a previous mail we could build a VPCI bus with a completely different topology but I am not sure of the advantages this would have.
> Do you see some reason to do this ?

Yes :):
   1) If a platform has two host controllers (IIRC Thunder-X has it) 
then you would need to expose two host controllers to your guest. I 
think this is undesirable if your guest is only using a couple of PCI 
devices on each host controllers.
   2) In the case of migration (live or not), you may want to use a 
difference PCI card on the target platform. So your BDF and bridges may 
be different.

Therefore I think the virtual topology can be beneficial.

> 
>>>>
>>>> # Emulated PCI device tree node in libxl:
>>>>
>>>> Libxl is creating a virtual PCI device tree node in the device tree to enable the guest OS to discover the virtual PCI during guest boot. We introduced the new config option [vpci="pci_ecam"] for guests. When this config option is enabled in a guest configuration, a PCI device tree node will be created in the guest device tree.
>>>>
>>>> A new area has been reserved in the arm guest physical map at which the VPCI bus is declared in the device tree (reg and ranges parameters of the node). A trap handler for the PCI ECAM access from guest has been registered at the defined address and redirects requests to the VPCI driver in Xen.
>>>>
>>>> Limitation:
>>>> * Only one PCI device tree node is supported as of now.
>>>>
>>>> BAR value and IOMEM mapping:
>>>>
>>>> Linux guest will do the PCI enumeration based on the area reserved for ECAM and IOMEM ranges in the VPCI device tree node. Once PCI    device is assigned to the guest, XEN will map the guest PCI IOMEM region to the real physical IOMEM region only for the assigned devices.
>>>>
>>>> As of now we have not modified the existing VPCI code to map the guest PCI IOMEM region to the real physical IOMEM region. We used the existing guest “iomem” config option to map the region.
>>>> For example:
>>>>      Guest reserved IOMEM region:  0x04020000
>>>>           Real physical IOMEM region:0x50000000
>>>>           IOMEM size:128MB
>>>>           iomem config will be:   iomem = ["0x50000,0x8000@0x4020"]
>>>>
>>>> There is no need to map the ECAM space as XEN already have access to the ECAM space and XEN will trap ECAM accesses from the guest and will perform read/write on the VPCI bus.
>>>>
>>>> IOMEM access will not be trapped and the guest will directly access the IOMEM region of the assigned device via stage-2 translation.
>>>>
>>>> In the same, we mapped the assigned devices IRQ to the guest using below config options.
>>>>      irqs= [ NUMBER, NUMBER, ...]
>>>>
>>>> Limitation:
>>>> * Need to avoid the “iomem” and “irq” guest config options and map the IOMEM region and IRQ at the same time when device is assigned to the guest using the “pci” guest config options when xl creates the domain.
>>>> * Emulated BAR values on the VPCI bus should reflect the IOMEM mapped address.
>>>> * X86 mapping code should be ported on Arm so that the stage-2 translation is adapted when the guest is doing a modification of the BAR registers values (to map the address requested by the guest for a specific IOMEM to the address actually contained in the real BAR register of the corresponding device).
>>>>
>>>> # SMMU configuration for guest:
>>>>
>>>> When assigning PCI devices to a guest, the SMMU configuration should be updated to remove access to the hardware domain memory and add
>>>> configuration to have access to the guest memory with the proper address translation so that the device can do DMA operations from and to the guest memory only.
>>> There are a few more questions to answer here:
>>>     - When a guest is destroyed, who will be the owner of the PCI devices? Depending on the answer, how do you make sure the device is quiescent?
> 
> I would say the hardware domain if there is one otherwise nobody.

This is risky, in particular if your device is not quiescent (e.g 
because the reset failed). This would mean your device may be able to 
rewrite part of Dom0.

> On the quiescent part this is definitely something for which I have no answer for now and any suggestion is more then welcome.

Usually you will have to reset a device, but I am not sure this can 
always work properly. Hence, I think assigning the PCI devices to nobody 
would be more sensible. Note this is what XSA-306 aimed to do on x86 
(not yet implemented on Arm).

> 
>>>     - Is there any memory access that can bypassed the IOMMU (e.g doorbell)?
> 
> This is still something to be investigated as part of the MSI implementation.
> If you have any idea here, feel free to tell us.

My memory is a bit fuzzy here. I am sure that the doorbell can bypass 
the IOMMU on some platform, but I also vaguely remember that accesses to 
the PCI host controller memory window may also bypass the IOMMU. A good 
reading might be [2].

IIRC, I came to the conclusion that we may want to use the host memory 
map in the guest when using the PCI passthrough. But maybe not on all 
the platforms.

Cheers,

>>> [1] https://lists.xenproject.org/archives/html/xen-devel/2017-05/msg02520.html

[2] https://www.spinics.net/lists/kvm/msg140116.html
>>
>> -- 
>> Julien Grall
>>
> 

-- 
Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Bertrand Marquis]

> On 17 Jul 2020, at 15:50, Julien Grall <julien@xen.org> wrote:
> 
> (Resending to the correct ML)
> 
> On 17/07/2020 14:23, Julien Grall wrote:
>> On 16/07/2020 18:02, Rahul Singh wrote:
>>> Hello All,
>> Hi,
>>> Following up on discussion on PCI Passthrough support on ARM that we had at the XEN summit, we are submitting a Review For Comment and a design proposal for PCI passthrough support on ARM. Feel free to give your feedback.
>>> 
>>> The followings describe the high-level design proposal of the PCI passthrough support and how the different modules within the system interacts with each other to assign a particular PCI device to the guest.
>> There was an attempt a few years ago to get a design document for PCI passthrough (see [1]). I would suggest to have a look at the thread as I think it would help to have an overview of all the components (e.g MSI controllers...) even if they will not be implemented at the beginning.

Thanks for the pointer. This design is a first draft that we will improve and complete it along the way.

>>> 
>>> # Title:
>>> 
>>> PCI devices passthrough on Arm design proposal
>>> 
>>> # Problem statement:
>>> 
>>> On ARM there in no support to assign a PCI device to a guest. PCI device passthrough capability allows guests to have full access to some PCI devices. PCI device passthrough allows PCI devices to appear and behave as if they were physically attached to the guest operating system and provide full isolation of the PCI devices.
>>> 
>>> Goal of this work is to also support Dom0Less configuration so the PCI backend/frontend drivers used on x86 shall not be used on Arm. It will use the existing VPCI concept from X86 and implement the virtual PCI bus through IO emulation​ such that only assigned devices are visible​ to the guest and guest can use the standard PCI driver.
>>> 
>>> Only Dom0 and Xen will have access to the real PCI bus,​ guest will have a direct access to the assigned device itself​. IOMEM memory will be mapped to the guest ​and interrupt will be redirected to the guest. SMMU has to be configured correctly to have DMA transaction.
>>> 
>>> ## Current state: Draft version
>>> 
>>> # Proposer(s): Rahul Singh, Bertrand Marquis
>>> 
>>> # Proposal:
>>> 
>>> This section will describe the different subsystem to support the PCI device passthrough and how these subsystems interact with each other to assign a device to the guest.
>>> 
>>> # PCI Terminology:
>>> 
>>> Host Bridge: Host bridge allows the PCI devices to talk to the rest of the computer.
>>> ECAM: ECAM (Enhanced Configuration Access Mechanism) is a mechanism developed to allow PCIe to access configuration space. The space available per function is 4KB.
>>> 
>>> # Discovering PCI Host Bridge in XEN:
>>> 
>>> In order to support the PCI passthrough XEN should be aware of all the PCI host bridges available on the system and should be able to access the PCI configuration space. ECAM configuration access is supported as of now. XEN during boot will read the PCI device tree node “reg” property and will map the ECAM space to the XEN memory using the “ioremap_nocache ()” function.
>>> 
>>> If there are more than one segment on the system, XEN will read the “linux, pci-domain” property from the device tree node and configure  the host bridge segment number accordingly. All the PCI device tree nodes should have the “linux,pci-domain” property so that there will be no conflicts. During hardware domain boot Linux will also use the same “linux,pci-domain” property and assign the domain number to the host bridge.
>> AFAICT, "linux,pci-domain" is not a mandatory option and mostly tie to Linux. What would happen with other OS?
>> But I would rather avoid trying to mandate a user to modifying his/her device-tree in order to support PCI passthrough. It would be better to consider Xen to assign the number if it is not present.

so you would suggest here that if this entry is not present in the configuration, we just assign a value inside xen ? How should this information be passed to the guest ? 
This number is required for the current hypercall to declare devices to xen so those could end up being different.

>>> 
>>> When Dom0 tries to access the PCI config space of the device, XEN will find the corresponding host bridge based on segment number and access the corresponding config space assigned to that bridge.
>>> 
>>> Limitation:
>>> * Only PCI ECAM configuration space access is supported.
>>> * Device tree binding is supported as of now, ACPI is not supported.
>> We want to differentiate the high-level design from the actual implementation. While you may not yet implement ACPI, we still need to keep it in mind to avoid incompatibilities in long term.

For sure we do not want to make anything which would not be possible to implement with ACPI. 
I hope the community will help us during review to find those possible problems if we do not see them. 

>>> * Need to port the PCI host bridge access code to XEN to access the configuration space (generic one works but lots of platforms will required  some specific code or quirks).
>>> 
>>> # Discovering PCI devices:
>>> 
>>> PCI-PCIe enumeration is a process of detecting devices connected to its host. It is the responsibility of the hardware domain or boot firmware to do the PCI enumeration and configure the BAR, PCI capabilities, and MSI/MSI-X configuration.
>>> 
>>> PCI-PCIe enumeration in XEN is not feasible for the configuration part as it would require a lot of code inside Xen which would require a lot of maintenance. Added to this many platforms require some quirks in that part of the PCI code which would greatly improve Xen complexity. Once hardware domain enumerates the device then it will communicate to XEN via the below hypercall.
>>> 
>>> #define PHYSDEVOP_pci_device_add        25
>>> struct physdev_pci_device_add {
>>>      uint16_t seg;
>>>      uint8_t bus;
>>>      uint8_t devfn;
>>>      uint32_t flags;
>>>      struct {
>>>          uint8_t bus;
>>>          uint8_t devfn;
>>>      } physfn;
>>>      /*
>>>      * Optional parameters array.
>>>      * First element ([0]) is PXM domain associated with the device (if * XEN_PCI_DEV_PXM is set)
>>>      */
>>>      uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>>      };
>>> 
>>> As the hypercall argument has the PCI segment number, XEN will access the PCI config space based on this segment number and find the host-bridge corresponding to this segment number. At this stage host bridge is fully initialized so there will be no issue to access the config space.
>>> 
>>> XEN will add the PCI devices in the linked list maintain in XEN using the function pci_add_device(). XEN will be aware of all the PCI devices on the system and all the device will be added to the hardware domain.
>> I understand this what x86 does. However, may I ask why we would want it for Arm?

We wanted to be as near as possible from x86 implementation and design. 
But if you have an other idea here we are fully open to discuss it. 

>>> 
>>> Limitations:
>>> * When PCI devices are added to XEN, MSI capability is not initialized inside XEN and not supported as of now.
>>> * ACS capability is disable for ARM as of now as after enabling it devices are not accessible.
>> I am not sure to understand this. Can you expand?

As a temporary workaround we turned that feature off in the code for now but we will fix that later.

>>> * Dom0Less implementation will require to have the capacity inside Xen to discover the PCI devices (without depending on Dom0 to declare them to Xen).
>>> 
>>> # Enable the existing x86 virtual PCI support for ARM:
>>> 
>>> The existing VPCI support available for X86 is adapted for Arm. When the device is added to XEN via the hyper call “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access is added to the PCI device to emulate the PCI devices.
>>> 
>>> A MMIO trap handler for the PCI ECAM space is registered in XEN so that when guest is trying to access the PCI config space, XEN will trap the access and emulate read/write using the VPCI and not the real PCI hardware.
>>> 
>>> Limitation:
>>> * No handler is register for the MSI configuration.
>>> * Only legacy interrupt is supported and tested as of now, MSI is not implemented and tested.
>> IIRC, legacy interrupt may be shared between two PCI devices. How do you plan to handle this on Arm?

We plan to fix this by adding proper support for MSI in the long term. 
For the use case where MSI is not supported or not wanted we might have to find a way to forward the hardware interrupt to several guests to emulate some kind of shared interrupt.

>>> 
>>> # Assign the device to the guest:
>>> 
>>> Assign the PCI device from the hardware domain to the guest is done using the below guest config option. When xl tool create the domain, PCI devices will be assigned to the guest VPCI bus.
>> Above, you suggest that device will be assigned to the hardware domain at boot. I am assuming this also means that all the interrupts/MMIOs will be routed/mapped, is that correct?
>> If so, can you provide a rough sketch how assign/deassign will work?

Yes this is correct. We will improve the design and add a more detailed description on that in the next version. 
To make it short we remove the resources from the hardware domain first and assign them to the guest the device has been assigned to. There are still some parts in there where we are still in investigation mode on that part. 

>>>     pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>> 
>>> Guest will be only able to access the assigned devices and see the bridges. Guest will not be able to access or see the devices that are no assigned to him.
>>> 
>>> Limitation:
>>> * As of now all the bridges in the PCI bus are seen by the guest on the VPCI bus.
>> Why do you want to expose all the bridges to a guest? Does this mean that the BDF should always match between the host and the guest?

That’s not really something that we wanted but this was the easiest way to go.
As said in a previous mail we could build a VPCI bus with a completely different topology but I am not sure of the advantages this would have.
Do you see some reason to do this ?

>>> 
>>> # Emulated PCI device tree node in libxl:
>>> 
>>> Libxl is creating a virtual PCI device tree node in the device tree to enable the guest OS to discover the virtual PCI during guest boot. We introduced the new config option [vpci="pci_ecam"] for guests. When this config option is enabled in a guest configuration, a PCI device tree node will be created in the guest device tree.
>>> 
>>> A new area has been reserved in the arm guest physical map at which the VPCI bus is declared in the device tree (reg and ranges parameters of the node). A trap handler for the PCI ECAM access from guest has been registered at the defined address and redirects requests to the VPCI driver in Xen.
>>> 
>>> Limitation:
>>> * Only one PCI device tree node is supported as of now.
>>> 
>>> BAR value and IOMEM mapping:
>>> 
>>> Linux guest will do the PCI enumeration based on the area reserved for ECAM and IOMEM ranges in the VPCI device tree node. Once PCI    device is assigned to the guest, XEN will map the guest PCI IOMEM region to the real physical IOMEM region only for the assigned devices.
>>> 
>>> As of now we have not modified the existing VPCI code to map the guest PCI IOMEM region to the real physical IOMEM region. We used the existing guest “iomem” config option to map the region.
>>> For example:
>>>     Guest reserved IOMEM region:  0x04020000
>>>          Real physical IOMEM region:0x50000000
>>>          IOMEM size:128MB
>>>          iomem config will be:   iomem = ["0x50000,0x8000@0x4020"]
>>> 
>>> There is no need to map the ECAM space as XEN already have access to the ECAM space and XEN will trap ECAM accesses from the guest and will perform read/write on the VPCI bus.
>>> 
>>> IOMEM access will not be trapped and the guest will directly access the IOMEM region of the assigned device via stage-2 translation.
>>> 
>>> In the same, we mapped the assigned devices IRQ to the guest using below config options.
>>>     irqs= [ NUMBER, NUMBER, ...]
>>> 
>>> Limitation:
>>> * Need to avoid the “iomem” and “irq” guest config options and map the IOMEM region and IRQ at the same time when device is assigned to the guest using the “pci” guest config options when xl creates the domain.
>>> * Emulated BAR values on the VPCI bus should reflect the IOMEM mapped address.
>>> * X86 mapping code should be ported on Arm so that the stage-2 translation is adapted when the guest is doing a modification of the BAR registers values (to map the address requested by the guest for a specific IOMEM to the address actually contained in the real BAR register of the corresponding device).
>>> 
>>> # SMMU configuration for guest:
>>> 
>>> When assigning PCI devices to a guest, the SMMU configuration should be updated to remove access to the hardware domain memory and add
>>> configuration to have access to the guest memory with the proper address translation so that the device can do DMA operations from and to the guest memory only.
>> There are a few more questions to answer here:
>>    - When a guest is destroyed, who will be the owner of the PCI devices? Depending on the answer, how do you make sure the device is quiescent?

I would say the hardware domain if there is one otherwise nobody. 
On the quiescent part this is definitely something for which I have no answer for now and any suggestion is more then welcome.

>>    - Is there any memory access that can bypassed the IOMMU (e.g doorbell)?

This is still something to be investigated as part of the MSI implementation. 
If you have any idea here, feel free to tell us. 

We are submitting all this as requested during Xen Summit to have some first feedback but this is a huge work package and there are still lots of areas that we have to dig into :-)

Cheers
Bertrand

>> Cheers,
>> [1] https://lists.xenproject.org/archives/html/xen-devel/2017-05/msg02520.html
> 
> -- 
> Julien Grall
> 

Re: PCI devices passthrough on Arm design proposal

[Jan Beulich]

On 17.07.2020 16:12, Julien Grall wrote:
> On 17/07/2020 14:59, Jan Beulich wrote:
>> Personally I'd much
>> prefer if we didn't have two fundamentally different PCI implementations
>> in the tree. Perhaps some of what Arm wants or needs can actually
>> benefit x86 as well, but this requires sufficiently much code sharing
>> then.
> 
> Well, it would be nice to have similar implementations. But at the same 
> time, we have different constraint. For instance, dom0 may disappear in 
> the future on Arm.

And becoming independent of Dom0 in this regard would be a benefit to
x86 as well, I think, irrespective of whether dom0less is to become a
thing there, too.

Jan

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

Hi,

On 17/07/2020 14:59, Jan Beulich wrote:
> On 17.07.2020 15:50, Julien Grall wrote:
>> (Resending to the correct ML)
>> On 17/07/2020 14:23, Julien Grall wrote:
>>> On 16/07/2020 18:02, Rahul Singh wrote:
>>>> # Discovering PCI devices:
>>>>
>>>> PCI-PCIe enumeration is a process of detecting devices connected to
>>>> its host. It is the responsibility of the hardware domain or boot
>>>> firmware to do the PCI enumeration and configure the BAR, PCI
>>>> capabilities, and MSI/MSI-X configuration.
>>>>
>>>> PCI-PCIe enumeration in XEN is not feasible for the configuration part
>>>> as it would require a lot of code inside Xen which would require a lot
>>>> of maintenance. Added to this many platforms require some quirks in
>>>> that part of the PCI code which would greatly improve Xen complexity.
>>>> Once hardware domain enumerates the device then it will communicate to
>>>> XEN via the below hypercall.
>>>>
>>>> #define PHYSDEVOP_pci_device_add        25
>>>> struct physdev_pci_device_add {
>>>>       uint16_t seg;
>>>>       uint8_t bus;
>>>>       uint8_t devfn;
>>>>       uint32_t flags;
>>>>       struct {
>>>>           uint8_t bus;
>>>>           uint8_t devfn;
>>>>       } physfn;
>>>>       /*
>>>>       * Optional parameters array.
>>>>       * First element ([0]) is PXM domain associated with the device
>>>> (if * XEN_PCI_DEV_PXM is set)
>>>>       */
>>>>       uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>>>       };
>>>>
>>>> As the hypercall argument has the PCI segment number, XEN will access
>>>> the PCI config space based on this segment number and find the
>>>> host-bridge corresponding to this segment number. At this stage host
>>>> bridge is fully initialized so there will be no issue to access the
>>>> config space.
>>>>
>>>> XEN will add the PCI devices in the linked list maintain in XEN using
>>>> the function pci_add_device(). XEN will be aware of all the PCI
>>>> devices on the system and all the device will be added to the hardware
>>>> domain.
>>> I understand this what x86 does. However, may I ask why we would want it
>>> for Arm?
> 
> Isn't it the normal thing to follow what there is, and instead provide
> reasons why a different approach is to be followed?

Not all the decision on x86 have been great and this is the opportunity 
to make it better rather than blindly follow. For instance, platform 
devices were are not assigned (back) to dom0 by default. Thanks to this 
decision, we were not affected by XSA-306.

> Personally I'd much
> prefer if we didn't have two fundamentally different PCI implementations
> in the tree. Perhaps some of what Arm wants or needs can actually
> benefit x86 as well, but this requires sufficiently much code sharing
> then.

Well, it would be nice to have similar implementations. But at the same 
time, we have different constraint. For instance, dom0 may disappear in 
the future on Arm.

Cheers,

-- 
Julien Grall

Re: PCI devices passthrough on Arm design proposal

[Jan Beulich]

On 17.07.2020 15:50, Julien Grall wrote:
> (Resending to the correct ML)
> On 17/07/2020 14:23, Julien Grall wrote:
>> On 16/07/2020 18:02, Rahul Singh wrote:
>>> # Discovering PCI devices:
>>>
>>> PCI-PCIe enumeration is a process of detecting devices connected to 
>>> its host. It is the responsibility of the hardware domain or boot 
>>> firmware to do the PCI enumeration and configure the BAR, PCI 
>>> capabilities, and MSI/MSI-X configuration.
>>>
>>> PCI-PCIe enumeration in XEN is not feasible for the configuration part 
>>> as it would require a lot of code inside Xen which would require a lot 
>>> of maintenance. Added to this many platforms require some quirks in 
>>> that part of the PCI code which would greatly improve Xen complexity. 
>>> Once hardware domain enumerates the device then it will communicate to 
>>> XEN via the below hypercall.
>>>
>>> #define PHYSDEVOP_pci_device_add        25
>>> struct physdev_pci_device_add {
>>>      uint16_t seg;
>>>      uint8_t bus;
>>>      uint8_t devfn;
>>>      uint32_t flags;
>>>      struct {
>>>          uint8_t bus;
>>>          uint8_t devfn;
>>>      } physfn;
>>>      /*
>>>      * Optional parameters array.
>>>      * First element ([0]) is PXM domain associated with the device 
>>> (if * XEN_PCI_DEV_PXM is set)
>>>      */
>>>      uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>>      };
>>>
>>> As the hypercall argument has the PCI segment number, XEN will access 
>>> the PCI config space based on this segment number and find the 
>>> host-bridge corresponding to this segment number. At this stage host 
>>> bridge is fully initialized so there will be no issue to access the 
>>> config space.
>>>
>>> XEN will add the PCI devices in the linked list maintain in XEN using 
>>> the function pci_add_device(). XEN will be aware of all the PCI 
>>> devices on the system and all the device will be added to the hardware 
>>> domain.
>> I understand this what x86 does. However, may I ask why we would want it 
>> for Arm?

Isn't it the normal thing to follow what there is, and instead provide
reasons why a different approach is to be followed? Personally I'd much
prefer if we didn't have two fundamentally different PCI implementations
in the tree. Perhaps some of what Arm wants or needs can actually
benefit x86 as well, but this requires sufficiently much code sharing
then.

Jan

Re: PCI devices passthrough on Arm design proposal

[Julien Grall]

(Resending to the correct ML)

On 17/07/2020 14:23, Julien Grall wrote:
> 
> 
> On 16/07/2020 18:02, Rahul Singh wrote:
>> Hello All,
> 
> Hi,
> 
>> Following up on discussion on PCI Passthrough support on ARM that we 
>> had at the XEN summit, we are submitting a Review For Comment and a 
>> design proposal for PCI passthrough support on ARM. Feel free to give 
>> your feedback.
>>
>> The followings describe the high-level design proposal of the PCI 
>> passthrough support and how the different modules within the system 
>> interacts with each other to assign a particular PCI device to the guest.
> 
> There was an attempt a few years ago to get a design document for PCI 
> passthrough (see [1]). I would suggest to have a look at the thread as I 
> think it would help to have an overview of all the components (e.g MSI 
> controllers...) even if they will not be implemented at the beginning.
> 
>>
>> # Title:
>>
>> PCI devices passthrough on Arm design proposal
>>
>> # Problem statement:
>>
>> On ARM there in no support to assign a PCI device to a guest. PCI 
>> device passthrough capability allows guests to have full access to 
>> some PCI devices. PCI device passthrough allows PCI devices to appear 
>> and behave as if they were physically attached to the guest operating 
>> system and provide full isolation of the PCI devices.
>>
>> Goal of this work is to also support Dom0Less configuration so the PCI 
>> backend/frontend drivers used on x86 shall not be used on Arm. It will 
>> use the existing VPCI concept from X86 and implement the virtual PCI 
>> bus through IO emulation​ such that only assigned devices are visible​ 
>> to the guest and guest can use the standard PCI driver.
>>
>> Only Dom0 and Xen will have access to the real PCI bus,​ guest will 
>> have a direct access to the assigned device itself​. IOMEM memory will 
>> be mapped to the guest ​and interrupt will be redirected to the guest. 
>> SMMU has to be configured correctly to have DMA transaction.
>>
>> ## Current state: Draft version
>>
>> # Proposer(s): Rahul Singh, Bertrand Marquis
>>
>> # Proposal:
>>
>> This section will describe the different subsystem to support the PCI 
>> device passthrough and how these subsystems interact with each other 
>> to assign a device to the guest.
>>
>> # PCI Terminology:
>>
>> Host Bridge: Host bridge allows the PCI devices to talk to the rest of 
>> the computer.
>> ECAM: ECAM (Enhanced Configuration Access Mechanism) is a mechanism 
>> developed to allow PCIe to access configuration space. The space 
>> available per function is 4KB.
>>
>> # Discovering PCI Host Bridge in XEN:
>>
>> In order to support the PCI passthrough XEN should be aware of all the 
>> PCI host bridges available on the system and should be able to access 
>> the PCI configuration space. ECAM configuration access is supported as 
>> of now. XEN during boot will read the PCI device tree node “reg” 
>> property and will map the ECAM space to the XEN memory using the 
>> “ioremap_nocache ()” function.
>>
>> If there are more than one segment on the system, XEN will read the 
>> “linux, pci-domain” property from the device tree node and configure  
>> the host bridge segment number accordingly. All the PCI device tree 
>> nodes should have the “linux,pci-domain” property so that there will 
>> be no conflicts. During hardware domain boot Linux will also use the 
>> same “linux,pci-domain” property and assign the domain number to the 
>> host bridge.
> 
> AFAICT, "linux,pci-domain" is not a mandatory option and mostly tie to 
> Linux. What would happen with other OS?
> 
> But I would rather avoid trying to mandate a user to modifying his/her 
> device-tree in order to support PCI passthrough. It would be better to 
> consider Xen to assign the number if it is not present.
> 
>>
>> When Dom0 tries to access the PCI config space of the device, XEN will 
>> find the corresponding host bridge based on segment number and access 
>> the corresponding config space assigned to that bridge.
>>
>> Limitation:
>> * Only PCI ECAM configuration space access is supported.
>> * Device tree binding is supported as of now, ACPI is not supported.
> 
> We want to differentiate the high-level design from the actual 
> implementation. While you may not yet implement ACPI, we still need to 
> keep it in mind to avoid incompatibilities in long term.
> 
>> * Need to port the PCI host bridge access code to XEN to access the 
>> configuration space (generic one works but lots of platforms will 
>> required  some specific code or quirks).
>>
>> # Discovering PCI devices:
>>
>> PCI-PCIe enumeration is a process of detecting devices connected to 
>> its host. It is the responsibility of the hardware domain or boot 
>> firmware to do the PCI enumeration and configure the BAR, PCI 
>> capabilities, and MSI/MSI-X configuration.
>>
>> PCI-PCIe enumeration in XEN is not feasible for the configuration part 
>> as it would require a lot of code inside Xen which would require a lot 
>> of maintenance. Added to this many platforms require some quirks in 
>> that part of the PCI code which would greatly improve Xen complexity. 
>> Once hardware domain enumerates the device then it will communicate to 
>> XEN via the below hypercall.
>>
>> #define PHYSDEVOP_pci_device_add        25
>> struct physdev_pci_device_add {
>>      uint16_t seg;
>>      uint8_t bus;
>>      uint8_t devfn;
>>      uint32_t flags;
>>      struct {
>>          uint8_t bus;
>>          uint8_t devfn;
>>      } physfn;
>>      /*
>>      * Optional parameters array.
>>      * First element ([0]) is PXM domain associated with the device 
>> (if * XEN_PCI_DEV_PXM is set)
>>      */
>>      uint32_t optarr[XEN_FLEX_ARRAY_DIM];
>>      };
>>
>> As the hypercall argument has the PCI segment number, XEN will access 
>> the PCI config space based on this segment number and find the 
>> host-bridge corresponding to this segment number. At this stage host 
>> bridge is fully initialized so there will be no issue to access the 
>> config space.
>>
>> XEN will add the PCI devices in the linked list maintain in XEN using 
>> the function pci_add_device(). XEN will be aware of all the PCI 
>> devices on the system and all the device will be added to the hardware 
>> domain.
> I understand this what x86 does. However, may I ask why we would want it 
> for Arm?
> 
>>
>> Limitations:
>> * When PCI devices are added to XEN, MSI capability is not initialized 
>> inside XEN and not supported as of now.
>> * ACS capability is disable for ARM as of now as after enabling it 
>> devices are not accessible.
> 
> I am not sure to understand this. Can you expand?
> 
>> * Dom0Less implementation will require to have the capacity inside Xen 
>> to discover the PCI devices (without depending on Dom0 to declare them 
>> to Xen).
>>
>> # Enable the existing x86 virtual PCI support for ARM:
>>
>> The existing VPCI support available for X86 is adapted for Arm. When 
>> the device is added to XEN via the hyper call 
>> “PHYSDEVOP_pci_device_add”, VPCI handler for the config space access 
>> is added to the PCI device to emulate the PCI devices.
>>
>> A MMIO trap handler for the PCI ECAM space is registered in XEN so 
>> that when guest is trying to access the PCI config space, XEN will 
>> trap the access and emulate read/write using the VPCI and not the real 
>> PCI hardware.
>>
>> Limitation:
>> * No handler is register for the MSI configuration.
>> * Only legacy interrupt is supported and tested as of now, MSI is not 
>> implemented and tested.
> 
> IIRC, legacy interrupt may be shared between two PCI devices. How do you 
> plan to handle this on Arm?
> 
>>
>> # Assign the device to the guest:
>>
>> Assign the PCI device from the hardware domain to the guest is done 
>> using the below guest config option. When xl tool create the domain, 
>> PCI devices will be assigned to the guest VPCI bus.
> 
> Above, you suggest that device will be assigned to the hardware domain 
> at boot. I am assuming this also means that all the interrupts/MMIOs 
> will be routed/mapped, is that correct?
> 
> If so, can you provide a rough sketch how assign/deassign will work?
> 
>>     pci=[ "PCI_SPEC_STRING", "PCI_SPEC_STRING", ...]
>>
>> Guest will be only able to access the assigned devices and see the 
>> bridges. Guest will not be able to access or see the devices that are 
>> no assigned to him.
>>
>> Limitation:
>> * As of now all the bridges in the PCI bus are seen by the guest on 
>> the VPCI bus.
> 
> Why do you want to expose all the bridges to a guest? Does this mean 
> that the BDF should always match between the host and the guest?
> 
>>
>> # Emulated PCI device tree node in libxl:
>>
>> Libxl is creating a virtual PCI device tree node in the device tree to 
>> enable the guest OS to discover the virtual PCI during guest boot. We 
>> introduced the new config option [vpci="pci_ecam"] for guests. When 
>> this config option is enabled in a guest configuration, a PCI device 
>> tree node will be created in the guest device tree.
>>
>> A new area has been reserved in the arm guest physical map at which 
>> the VPCI bus is declared in the device tree (reg and ranges parameters 
>> of the node). A trap handler for the PCI ECAM access from guest has 
>> been registered at the defined address and redirects requests to the 
>> VPCI driver in Xen.
>>
>> Limitation:
>> * Only one PCI device tree node is supported as of now.
>>
>> BAR value and IOMEM mapping:
>>
>> Linux guest will do the PCI enumeration based on the area reserved for 
>> ECAM and IOMEM ranges in the VPCI device tree node. Once PCI    device 
>> is assigned to the guest, XEN will map the guest PCI IOMEM region to 
>> the real physical IOMEM region only for the assigned devices.
>>
>> As of now we have not modified the existing VPCI code to map the guest 
>> PCI IOMEM region to the real physical IOMEM region. We used the 
>> existing guest “iomem” config option to map the region.
>> For example:
>>     Guest reserved IOMEM region:  0x04020000
>>          Real physical IOMEM region:0x50000000
>>          IOMEM size:128MB
>>          iomem config will be:   iomem = ["0x50000,0x8000@0x4020"]
>>
>> There is no need to map the ECAM space as XEN already have access to 
>> the ECAM space and XEN will trap ECAM accesses from the guest and will 
>> perform read/write on the VPCI bus.
>>
>> IOMEM access will not be trapped and the guest will directly access 
>> the IOMEM region of the assigned device via stage-2 translation.
>>
>> In the same, we mapped the assigned devices IRQ to the guest using 
>> below config options.
>>     irqs= [ NUMBER, NUMBER, ...]
>>
>> Limitation:
>> * Need to avoid the “iomem” and “irq” guest config options and map the 
>> IOMEM region and IRQ at the same time when device is assigned to the 
>> guest using the “pci” guest config options when xl creates the domain.
>> * Emulated BAR values on the VPCI bus should reflect the IOMEM mapped 
>> address.
>> * X86 mapping code should be ported on Arm so that the stage-2 
>> translation is adapted when the guest is doing a modification of the 
>> BAR registers values (to map the address requested by the guest for a 
>> specific IOMEM to the address actually contained in the real BAR 
>> register of the corresponding device).
>>
>> # SMMU configuration for guest:
>>
>> When assigning PCI devices to a guest, the SMMU configuration should 
>> be updated to remove access to the hardware domain memory and add
>> configuration to have access to the guest memory with the proper 
>> address translation so that the device can do DMA operations from and 
>> to the guest memory only.
> 
> There are a few more questions to answer here:
>     - When a guest is destroyed, who will be the owner of the PCI 
> devices? Depending on the answer, how do you make sure the device is 
> quiescent?
>     - Is there any memory access that can bypassed the IOMMU (e.g 
> doorbell)?
> 
> Cheers,
> 
> [1] 
> https://lists.xenproject.org/archives/html/xen-devel/2017-05/msg02520.html
> 

-- 
Julien Grall