On 2020/2/21 下午10:56, Halil Pasic wrote: > On Fri, 21 Feb 2020 14:22:26 +0800 > Jason Wang wrote: > >> On 2020/2/21 上午12:06, Halil Pasic wrote: >>> Currently if one intends to run a memory protection enabled VM with >>> virtio devices and linux as the guest OS, one needs to specify the >>> VIRTIO_F_IOMMU_PLATFORM flag for each virtio device to make the guest >>> linux use the DMA API, which in turn handles the memory >>> encryption/protection stuff if the guest decides to turn itself into >>> a protected one. This however makes no sense due to multiple reasons: >>> * The device is not changed by the fact that the guest RAM is >>> protected. The so called IOMMU bypass quirk is not affected. >>> * This usage is not congruent with standardised semantics of >>> VIRTIO_F_IOMMU_PLATFORM. Guest memory protected is an orthogonal reason >>> for using DMA API in virtio (orthogonal with respect to what is >>> expressed by VIRTIO_F_IOMMU_PLATFORM). >>> >>> This series aims to decouple 'have to use DMA API because my (guest) RAM >>> is protected' and 'have to use DMA API because the device told me >>> VIRTIO_F_IOMMU_PLATFORM'. >>> >>> Please find more detailed explanations about the conceptual aspects in >>> the individual patches. There is however also a very practical problem >>> that is addressed by this series. >>> >>> For vhost-net the feature VIRTIO_F_IOMMU_PLATFORM has the following side >>> effect The vhost code assumes it the addresses on the virtio descriptor >>> ring are not guest physical addresses but iova's, and insists on doing a >>> translation of these regardless of what transport is used (e.g. whether >>> we emulate a PCI or a CCW device). (For details see commit 6b1e6cc7855b >>> "vhost: new device IOTLB API".) On s390 this results in severe >>> performance degradation (c.a. factor 10). >> >> Do you see a consistent degradation on the performance, or it only >> happen when for during the beginning of the test? >> > AFAIK the degradation is consistent. > >>> BTW with ccw I/O there is >>> (architecturally) no IOMMU, so the whole address translation makes no >>> sense in the context of virtio-ccw. >> >> I suspect we can do optimization in qemu side. >> >> E.g send memtable entry via IOTLB API when vIOMMU is not enabled. >> >> If this makes sense, I can draft patch to see if there's any difference. > Frankly I would prefer to avoid IOVAs on the descriptor ring (and the > then necessary translation) for virtio-ccw altogether. But Michael > voiced his opinion that we should mandate F_IOMMU_PLATFORM for devices > that could be used with guests running in protected mode. I don't share > his opinion, but that's an ongoing discussion. > > Should we end up having to do translation from IOVA in vhost, we are > very interested in that translation being fast and efficient. > > In that sense we would be very happy to test any optimization that aim > into that direction. > > Thank you very much for your input! Using IOTLB API on platform without IOMMU support is not intended. Please try the attached patch to see if it helps. Thanks > > Regards, > Halil > >> Thanks >> >> >>> Halil Pasic (2): >>> mm: move force_dma_unencrypted() to mem_encrypt.h >>> virtio: let virtio use DMA API when guest RAM is protected >>> >>> drivers/virtio/virtio_ring.c | 3 +++ >>> include/linux/dma-direct.h | 9 --------- >>> include/linux/mem_encrypt.h | 10 ++++++++++ >>> 3 files changed, 13 insertions(+), 9 deletions(-) >>> >>> >>> base-commit: ca7e1fd1026c5af6a533b4b5447e1d2f153e28f2