[Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support

[Amit Shah <amit.shah@xxxxxxxxxxxx>]

On Thursday 10 January 2008 21:18:24 Wei Wang2 wrote:
> hi list,
> I am considering adding DMA protection/isolation support for iommu
> machine:  Below are the suggested approaches to be discussed:
>
> 1) Para-virtualized IOMMU
> If it is possible to integrate IOMMU driver into guest kernel, we can
> just implement a set of para-virtualized interface to forward hardware
> operations from guest to HV. Guest kernel will allocation IO page table
> for itself, but IO-PTE updating is verified by HV through hypercall.
>
> 2) IOMMU-aware dma layer.
> Currently, driver domain utilizes swiotlb to get dma_address below 4G,
> which is an additional overhead to IOMMU machine. For IOMMU machine, we
> can implement a new dma layer which takes "guest_domain-id",
> "device_bdf", and "guest_page" information as parameters and returns
> virtual io address to guest OS. Guest OS only have very limited
> knowledge/control to IOMMU. In this case, HV will allocate and update IO
> page table for guest domain.
>
> 3) Hooking guest memory changes
> No guest OS modification is needed in this approach.  All we need is to
> update IO page table when guest physical memory changes triggered by
> domain initialization, ballooning, and grant reference mapping...
>
> Thanks for any comments, ideas, corrections... to this thread.

I have a few patches (quite old, I need to refresh them) for doing this. I was 
also looking at integrating this functionality with the AMD DEV for securing 
accesses.

This effort was mostly done with kvm+qemu in mind, but the DMA-level 
operations should work across any hypervisor on a PV guest.

http://lkml.org/lkml/2007/11/7/125

Let me know if these patches can be helpful and I can refresh them to the 
newer kernels.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel