From: Halil Pasic <pasic@linux.ibm.com>
To: Pierre Morel <pmorel@linux.ibm.com>
Cc: Cornelia Huck <cohuck@redhat.com>,
linux-kernel@vger.kernel.org, borntraeger@de.ibm.com,
frankja@linux.ibm.com, mst@redhat.com, jasowang@redhat.com,
kvm@vger.kernel.org, linux-s390@vger.kernel.org,
virtualization@lists.linux-foundation.org,
thomas.lendacky@amd.com, david@gibson.dropbear.id.au,
linuxram@us.ibm.com, heiko.carstens@de.ibm.com,
gor@linux.ibm.com
Subject: Re: [PATCH v4 2/2] s390: virtio: PV needs VIRTIO I/O device protection
Date: Tue, 7 Jul 2020 13:19:30 +0200 [thread overview]
Message-ID: <20200707131930.546d2643.pasic@linux.ibm.com> (raw)
In-Reply-To: <e9976a77-f4a6-841d-6b95-59811751bce9@linux.ibm.com>
On Tue, 7 Jul 2020 12:38:17 +0200
Pierre Morel <pmorel@linux.ibm.com> wrote:
>
>
> On 2020-07-07 11:46, Cornelia Huck wrote:
> > On Tue, 7 Jul 2020 10:44:37 +0200
> > Pierre Morel <pmorel@linux.ibm.com> wrote:
> >
> >> S390, protecting the guest memory against unauthorized host access
> >> needs to enforce VIRTIO I/O device protection through the use of
> >> VIRTIO_F_VERSION_1 and VIRTIO_F_IOMMU_PLATFORM.
> >
> > Hm... what about:
> >
> > "If protected virtualization is active on s390, the virtio queues are
> > not accessible to the host, unless VIRTIO_F_IOMMU_PLATFORM has been
> > negotiated. Use the new arch_validate_virtio_features() interface to
> > enforce this."
>
> Yes, thanks.
>
>
> >
> >>
> >> Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
> >> ---
> >> arch/s390/kernel/uv.c | 25 +++++++++++++++++++++++++
Is this the right place to put this stuff? This file seems to be about
implementing the interface for interacting with the ultravisor. I would
rather expect something like arch/s390/kernel/virtio.c
Should we ever get arch hooks for balloon those could go in
arch/s390/kernel/virtio.c as well.
> >> 1 file changed, 25 insertions(+)
> >>
> >> diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c
> >> index c296e5c8dbf9..106330f6eda1 100644
> >> --- a/arch/s390/kernel/uv.c
> >> +++ b/arch/s390/kernel/uv.c
> >> @@ -14,6 +14,7 @@
> >> #include <linux/memblock.h>
> >> #include <linux/pagemap.h>
> >> #include <linux/swap.h>
> >> +#include <linux/virtio_config.h>
> >> #include <asm/facility.h>
> >> #include <asm/sections.h>
> >> #include <asm/uv.h>
> >> @@ -413,3 +414,27 @@ static int __init uv_info_init(void)
> >> }
> >> device_initcall(uv_info_init);
> >> #endif
> >> +
> >> +/*
> >> + * arch_validate_virtio_iommu_platform
> >
> > s/arch_validate_virtio_iommu_platform/arch_validate_virtio_features/
> >
> >> + * @dev: the VIRTIO device being added
> >> + *
> >> + * Return value: returns -ENODEV if any features of the
> >> + * device breaks the protected virtualization
> >> + * 0 otherwise.
> >
> > I don't think you need to specify the contract here: that belongs to
> > the definition in the virtio core. What about simply adding a sentence
> > "Return an error if required features are missing on a guest running
> > with protected virtualization." ?
>
> OK, right.
>
> >
> >> + */
> >> +int arch_validate_virtio_features(struct virtio_device *dev)
> >> +{
> >
> > Maybe jump out immediately if the guest is not protected?
> >
> >> + if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) {
> >> + dev_warn(&dev->dev, "device must provide VIRTIO_F_VERSION_1\n");
> >> + return is_prot_virt_guest() ? -ENODEV : 0;
> >> + }
> >> +
> >> + if (!virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) {
> >> + dev_warn(&dev->dev,
> >> + "device must provide VIRTIO_F_IOMMU_PLATFORM\n");
> >> + return is_prot_virt_guest() ? -ENODEV : 0;
> >> + }
> >
> > if (!is_prot_virt_guest())
> > return 0;
> >
> > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) {
> > dev_warn(&dev->dev,
> > "legacy virtio is incompatible with protected guests");
> > return -ENODEV;
> > }
> >
> > if (!virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) {
> > dev_warn(&dev->dev,
> > "device does not work with limited memory access in protected guests");
> > return -ENODEV;
> > }
>
> Yes, easier to read.
>
Not only easier to read but does not produce warnings
if !is_prot_virt_guest(). I strongly prefer the variant proposed by
Connie.
Otherwise LGTM.
Regards,
Halil
next prev parent reply other threads:[~2020-07-07 11:19 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-07 8:44 [PATCH v4 0/2] s390: virtio: let arch validate VIRTIO features Pierre Morel
2020-07-07 8:44 ` [PATCH v4 1/2] " Pierre Morel
2020-07-07 9:26 ` Cornelia Huck
2020-07-07 10:39 ` Pierre Morel
2020-07-07 11:09 ` Christian Borntraeger
2020-07-07 11:17 ` Pierre Morel
2020-07-07 8:44 ` [PATCH v4 2/2] s390: virtio: PV needs VIRTIO I/O device protection Pierre Morel
2020-07-07 9:46 ` Cornelia Huck
2020-07-07 10:38 ` Pierre Morel
2020-07-07 11:19 ` Halil Pasic [this message]
2020-07-07 11:14 ` Michael S. Tsirkin
2020-07-07 11:19 ` Pierre Morel
2020-07-07 11:12 ` Christian Borntraeger
2020-07-07 11:16 ` Pierre Morel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200707131930.546d2643.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=frankja@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=jasowang@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=mst@redhat.com \
--cc=pmorel@linux.ibm.com \
--cc=thomas.lendacky@amd.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).