From: Thiago Jung Bauermann <bauerman@linux.ibm.com> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: virtualization@lists.linux-foundation.org, linuxppc-dev@lists.ozlabs.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jason Wang <jasowang@redhat.com>, Christoph Hellwig <hch@lst.de>, David Gibson <david@gibson.dropbear.id.au>, Alexey Kardashevskiy <aik@linux.ibm.com>, Paul Mackerras <paulus@ozlabs.org>, Benjamin Herrenschmidt <benh@kernel.crashing.org>, Ram Pai <linuxram@us.ibm.com>, Jean-Philippe Brucker <jean-philippe.brucker@arm.com>, Michael Roth <mdroth@linux.vnet.ibm.com>, Mike Anderson <andmike@linux.ibm.com> Subject: Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted Date: Fri, 26 Apr 2019 20:56:43 -0300 [thread overview] Message-ID: <871s1o1ft0.fsf@morokweng.localdomain> (raw) In-Reply-To: <20190424210813-mutt-send-email-mst@kernel.org> Michael S. Tsirkin <mst@redhat.com> writes: > On Wed, Apr 24, 2019 at 10:01:56PM -0300, Thiago Jung Bauermann wrote: >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> > On Wed, Apr 17, 2019 at 06:42:00PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> >> >> > On Thu, Mar 21, 2019 at 09:05:04PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> >> >> >> >> > On Wed, Mar 20, 2019 at 01:13:41PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> >From what I understand of the ACCESS_PLATFORM definition, the host will >> >> >> >> only ever try to access memory addresses that are supplied to it by the >> >> >> >> guest, so all of the secure guest memory that the host cares about is >> >> >> >> accessible: >> >> >> >> >> >> >> >> If this feature bit is set to 0, then the device has same access to >> >> >> >> memory addresses supplied to it as the driver has. In particular, >> >> >> >> the device will always use physical addresses matching addresses >> >> >> >> used by the driver (typically meaning physical addresses used by the >> >> >> >> CPU) and not translated further, and can access any address supplied >> >> >> >> to it by the driver. When clear, this overrides any >> >> >> >> platform-specific description of whether device access is limited or >> >> >> >> translated in any way, e.g. whether an IOMMU may be present. >> >> >> >> >> >> >> >> All of the above is true for POWER guests, whether they are secure >> >> >> >> guests or not. >> >> >> >> >> >> >> >> Or are you saying that a virtio device may want to access memory >> >> >> >> addresses that weren't supplied to it by the driver? >> >> >> > >> >> >> > Your logic would apply to IOMMUs as well. For your mode, there are >> >> >> > specific encrypted memory regions that driver has access to but device >> >> >> > does not. that seems to violate the constraint. >> >> >> >> >> >> Right, if there's a pre-configured 1:1 mapping in the IOMMU such that >> >> >> the device can ignore the IOMMU for all practical purposes I would >> >> >> indeed say that the logic would apply to IOMMUs as well. :-) >> >> >> >> >> >> I guess I'm still struggling with the purpose of signalling to the >> >> >> driver that the host may not have access to memory addresses that it >> >> >> will never try to access. >> >> > >> >> > For example, one of the benefits is to signal to host that driver does >> >> > not expect ability to access all memory. If it does, host can >> >> > fail initialization gracefully. >> >> >> >> But why would the ability to access all memory be necessary or even >> >> useful? When would the host access memory that the driver didn't tell it >> >> to access? >> > >> > When I say all memory I mean even memory not allowed by the IOMMU. >> >> Yes, but why? How is that memory relevant? > > It's relevant when driver is not trusted to only supply correct > addresses. The feature was originally designed to support userspace > drivers within guests. Ah, thanks for clarifying. I don't think that's a problem in our case. If the guest provides an incorrect address, the hardware simply won't allow the host to access it. >> >> >> > Another idea is maybe something like virtio-iommu? >> >> >> >> >> >> You mean, have legacy guests use virtio-iommu to request an IOMMU >> >> >> bypass? If so, it's an interesting idea for new guests but it doesn't >> >> >> help with guests that are out today in the field, which don't have A >> >> >> virtio-iommu driver. >> >> > >> >> > I presume legacy guests don't use encrypted memory so why do we >> >> > worry about them at all? >> >> >> >> They don't use encrypted memory, but a host machine will run a mix of >> >> secure and legacy guests. And since the hypervisor doesn't know whether >> >> a guest will be secure or not at the time it is launched, legacy guests >> >> will have to be launched with the same configuration as secure guests. >> > >> > OK and so I think the issue is that hosts generally fail if they set >> > ACCESS_PLATFORM and guests do not negotiate it. >> > So you can not just set ACCESS_PLATFORM for everyone. >> > Is that the issue here? >> >> Yes, that is one half of the issue. The other is that even if hosts >> didn't fail, existing legacy guests wouldn't "take the initiative" of >> not negotiating ACCESS_PLATFORM to get the improved performance. They'd >> have to be modified to do that. > > So there's a non-encrypted guest, hypervisor wants to set > ACCESS_PLATFORM to allow encrypted guests but that will slow down legacy > guests since their vIOMMU emulation is very slow. Yes. > So enabling support for encryption slows down non-encrypted guests. Not > great but not the end of the world, considering even older guests that > don't support ACCESS_PLATFORM are completely broken and you do not seem > to be too worried by that. Well, I guess that would be the third half of the issue. :-) > For future non-encrypted guests, bypassing the emulated IOMMU for when > that emulated IOMMU is very slow might be solvable in some other way, > e.g. with virtio-iommu. Which reminds me, could you look at > virtio-iommu as a solution for some of the issues? > Review of that patchset from that POV would be appreciated. Yes, I will have a look. As you mentioned already, virtio-iommu doesn't define a way to request iommu bypass for a device so that would have to be added. Though to be honest in practice I don't think such a feature in virtio-iommu would make things easier for us, at least in the short term. It would take the same effort to define a powerpc-specific hypercall to accomplish the same thing (easier, in fact since we wouldn't have to implement the rest of virtio-iommu). In fact, there already is such hypercall, but it is only defined for VIO devices (RTAS_IBM_SET_TCE_BYPASS in QEMU). We would have to make it work on virtio devices as well. -- Thiago Jung Bauermann IBM Linux Technology Center
WARNING: multiple messages have this Message-ID (diff)
From: Thiago Jung Bauermann <bauerman@linux.ibm.com> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: Mike Anderson <andmike@linux.ibm.com>, Michael Roth <mdroth@linux.vnet.ibm.com>, Jean-Philippe Brucker <jean-philippe.brucker@arm.com>, Benjamin Herrenschmidt <benh@kernel.crashing.org>, Jason Wang <jasowang@redhat.com>, Alexey Kardashevskiy <aik@linux.ibm.com>, Ram Pai <linuxram@us.ibm.com>, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, Paul Mackerras <paulus@ozlabs.org>, iommu@lists.linux-foundation.org, linuxppc-dev@lists.ozlabs.org, Christoph Hellwig <hch@lst.de>, David Gibson <david@gibson.dropbear.id.au> Subject: Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted Date: Fri, 26 Apr 2019 20:56:43 -0300 [thread overview] Message-ID: <871s1o1ft0.fsf@morokweng.localdomain> (raw) Message-ID: <20190426235643.jUEof2wsd_zgZ2pK_bUfutM4dJpukpJX4fOEFRl1A2w@z> (raw) In-Reply-To: <20190424210813-mutt-send-email-mst@kernel.org> Michael S. Tsirkin <mst@redhat.com> writes: > On Wed, Apr 24, 2019 at 10:01:56PM -0300, Thiago Jung Bauermann wrote: >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> > On Wed, Apr 17, 2019 at 06:42:00PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> >> >> > On Thu, Mar 21, 2019 at 09:05:04PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> >> >> Michael S. Tsirkin <mst@redhat.com> writes: >> >> >> >> >> >> > On Wed, Mar 20, 2019 at 01:13:41PM -0300, Thiago Jung Bauermann wrote: >> >> >> >> >From what I understand of the ACCESS_PLATFORM definition, the host will >> >> >> >> only ever try to access memory addresses that are supplied to it by the >> >> >> >> guest, so all of the secure guest memory that the host cares about is >> >> >> >> accessible: >> >> >> >> >> >> >> >> If this feature bit is set to 0, then the device has same access to >> >> >> >> memory addresses supplied to it as the driver has. In particular, >> >> >> >> the device will always use physical addresses matching addresses >> >> >> >> used by the driver (typically meaning physical addresses used by the >> >> >> >> CPU) and not translated further, and can access any address supplied >> >> >> >> to it by the driver. When clear, this overrides any >> >> >> >> platform-specific description of whether device access is limited or >> >> >> >> translated in any way, e.g. whether an IOMMU may be present. >> >> >> >> >> >> >> >> All of the above is true for POWER guests, whether they are secure >> >> >> >> guests or not. >> >> >> >> >> >> >> >> Or are you saying that a virtio device may want to access memory >> >> >> >> addresses that weren't supplied to it by the driver? >> >> >> > >> >> >> > Your logic would apply to IOMMUs as well. For your mode, there are >> >> >> > specific encrypted memory regions that driver has access to but device >> >> >> > does not. that seems to violate the constraint. >> >> >> >> >> >> Right, if there's a pre-configured 1:1 mapping in the IOMMU such that >> >> >> the device can ignore the IOMMU for all practical purposes I would >> >> >> indeed say that the logic would apply to IOMMUs as well. :-) >> >> >> >> >> >> I guess I'm still struggling with the purpose of signalling to the >> >> >> driver that the host may not have access to memory addresses that it >> >> >> will never try to access. >> >> > >> >> > For example, one of the benefits is to signal to host that driver does >> >> > not expect ability to access all memory. If it does, host can >> >> > fail initialization gracefully. >> >> >> >> But why would the ability to access all memory be necessary or even >> >> useful? When would the host access memory that the driver didn't tell it >> >> to access? >> > >> > When I say all memory I mean even memory not allowed by the IOMMU. >> >> Yes, but why? How is that memory relevant? > > It's relevant when driver is not trusted to only supply correct > addresses. The feature was originally designed to support userspace > drivers within guests. Ah, thanks for clarifying. I don't think that's a problem in our case. If the guest provides an incorrect address, the hardware simply won't allow the host to access it. >> >> >> > Another idea is maybe something like virtio-iommu? >> >> >> >> >> >> You mean, have legacy guests use virtio-iommu to request an IOMMU >> >> >> bypass? If so, it's an interesting idea for new guests but it doesn't >> >> >> help with guests that are out today in the field, which don't have A >> >> >> virtio-iommu driver. >> >> > >> >> > I presume legacy guests don't use encrypted memory so why do we >> >> > worry about them at all? >> >> >> >> They don't use encrypted memory, but a host machine will run a mix of >> >> secure and legacy guests. And since the hypervisor doesn't know whether >> >> a guest will be secure or not at the time it is launched, legacy guests >> >> will have to be launched with the same configuration as secure guests. >> > >> > OK and so I think the issue is that hosts generally fail if they set >> > ACCESS_PLATFORM and guests do not negotiate it. >> > So you can not just set ACCESS_PLATFORM for everyone. >> > Is that the issue here? >> >> Yes, that is one half of the issue. The other is that even if hosts >> didn't fail, existing legacy guests wouldn't "take the initiative" of >> not negotiating ACCESS_PLATFORM to get the improved performance. They'd >> have to be modified to do that. > > So there's a non-encrypted guest, hypervisor wants to set > ACCESS_PLATFORM to allow encrypted guests but that will slow down legacy > guests since their vIOMMU emulation is very slow. Yes. > So enabling support for encryption slows down non-encrypted guests. Not > great but not the end of the world, considering even older guests that > don't support ACCESS_PLATFORM are completely broken and you do not seem > to be too worried by that. Well, I guess that would be the third half of the issue. :-) > For future non-encrypted guests, bypassing the emulated IOMMU for when > that emulated IOMMU is very slow might be solvable in some other way, > e.g. with virtio-iommu. Which reminds me, could you look at > virtio-iommu as a solution for some of the issues? > Review of that patchset from that POV would be appreciated. Yes, I will have a look. As you mentioned already, virtio-iommu doesn't define a way to request iommu bypass for a device so that would have to be added. Though to be honest in practice I don't think such a feature in virtio-iommu would make things easier for us, at least in the short term. It would take the same effort to define a powerpc-specific hypercall to accomplish the same thing (easier, in fact since we wouldn't have to implement the rest of virtio-iommu). In fact, there already is such hypercall, but it is only defined for VIO devices (RTAS_IBM_SET_TCE_BYPASS in QEMU). We would have to make it work on virtio devices as well. -- Thiago Jung Bauermann IBM Linux Technology Center _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2019-04-26 23:56 UTC|newest] Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-01-29 17:08 [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted Thiago Jung Bauermann 2019-01-29 17:42 ` Thiago Jung Bauermann 2019-01-29 19:02 ` Michael S. Tsirkin 2019-01-30 2:24 ` Jason Wang 2019-01-30 2:36 ` Michael S. Tsirkin 2019-01-30 3:05 ` Jason Wang 2019-01-30 3:26 ` Michael S. Tsirkin 2019-01-30 7:44 ` Christoph Hellwig 2019-02-04 18:15 ` Thiago Jung Bauermann 2019-02-04 21:38 ` Michael S. Tsirkin 2019-02-05 7:24 ` Christoph Hellwig [not found] ` <20190205072407.GA4311-jcswGhMUV9g@public.gmane.org> 2019-02-05 16:13 ` Michael S. Tsirkin 2019-03-26 16:53 ` Michael S. Tsirkin 2019-02-04 18:14 ` Thiago Jung Bauermann 2019-02-04 20:23 ` Michael S. Tsirkin 2019-03-20 16:13 ` Thiago Jung Bauermann 2019-03-20 21:17 ` Michael S. Tsirkin 2019-03-22 0:05 ` Thiago Jung Bauermann 2019-03-23 21:01 ` Michael S. Tsirkin 2019-03-25 0:57 ` David Gibson 2019-04-17 21:42 ` Thiago Jung Bauermann 2019-04-17 21:42 ` Thiago Jung Bauermann [not found] ` <20190323165456-mutt-send-email-mst-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2019-04-17 21:42 ` Thiago Jung Bauermann 2019-04-17 21:42 ` Thiago Jung Bauermann 2019-04-19 23:09 ` Michael S. Tsirkin 2019-04-19 23:09 ` Michael S. Tsirkin 2019-04-25 1:01 ` Thiago Jung Bauermann 2019-04-25 1:01 ` Thiago Jung Bauermann [not found] ` <875zr228zf.fsf-wxVGo8vDogbJvNEK5ZsId7p2dZbC/Bob@public.gmane.org> 2019-04-25 1:18 ` Michael S. Tsirkin 2019-04-25 1:18 ` Michael S. Tsirkin 2019-04-26 23:56 ` Thiago Jung Bauermann [this message] 2019-04-26 23:56 ` Thiago Jung Bauermann 2019-05-20 13:08 ` Michael S. Tsirkin 2019-05-20 13:16 ` Michael S. Tsirkin 2019-06-04 1:13 ` Thiago Jung Bauermann 2019-06-04 1:42 ` Michael S. Tsirkin 2019-06-28 1:58 ` Thiago Jung Bauermann 2019-07-01 14:17 ` Michael S. Tsirkin 2019-07-14 5:51 ` Thiago Jung Bauermann 2019-07-15 14:35 ` Michael S. Tsirkin 2019-07-15 20:29 ` Thiago Jung Bauermann 2019-07-15 20:36 ` Michael S. Tsirkin 2019-07-15 22:03 ` Thiago Jung Bauermann 2019-07-15 22:16 ` Michael S. Tsirkin 2019-07-15 23:05 ` Thiago Jung Bauermann 2019-07-15 23:24 ` Benjamin Herrenschmidt 2019-07-18 3:39 ` Thiago Jung Bauermann 2019-08-10 18:57 ` Michael S. Tsirkin 2019-08-10 22:07 ` Ram Pai 2019-08-11 5:56 ` Christoph Hellwig 2019-08-11 6:46 ` Ram Pai 2019-08-11 8:44 ` Michael S. Tsirkin 2019-08-12 12:13 ` Christoph Hellwig 2019-08-12 20:29 ` Ram Pai 2019-08-11 8:42 ` Michael S. Tsirkin 2019-08-11 8:55 ` Michael S. Tsirkin 2019-08-12 12:15 ` Christoph Hellwig 2019-09-06 5:07 ` Michael S. Tsirkin 2019-08-12 9:51 ` David Gibson 2019-08-13 13:26 ` Christoph Hellwig 2019-08-13 14:24 ` David Gibson 2019-08-13 15:45 ` Ram Pai 2019-08-26 17:48 ` Ram Pai 2019-08-11 8:12 ` Michael S. Tsirkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=871s1o1ft0.fsf@morokweng.localdomain \ --to=bauerman@linux.ibm.com \ --cc=aik@linux.ibm.com \ --cc=andmike@linux.ibm.com \ --cc=benh@kernel.crashing.org \ --cc=david@gibson.dropbear.id.au \ --cc=hch@lst.de \ --cc=iommu@lists.linux-foundation.org \ --cc=jasowang@redhat.com \ --cc=jean-philippe.brucker@arm.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=linuxram@us.ibm.com \ --cc=mdroth@linux.vnet.ibm.com \ --cc=mst@redhat.com \ --cc=paulus@ozlabs.org \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).