[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Re: [XEN-IOMMU] Proposal of DMA protection/isolation support
On Thursday 10 January 2008 21:18:24 Wei Wang2 wrote: > hi list, > I am considering adding DMA protection/isolation support for iommu > machine: Below are the suggested approaches to be discussed: > > 1) Para-virtualized IOMMU > If it is possible to integrate IOMMU driver into guest kernel, we can > just implement a set of para-virtualized interface to forward hardware > operations from guest to HV. Guest kernel will allocation IO page table > for itself, but IO-PTE updating is verified by HV through hypercall. > > 2) IOMMU-aware dma layer. > Currently, driver domain utilizes swiotlb to get dma_address below 4G, > which is an additional overhead to IOMMU machine. For IOMMU machine, we > can implement a new dma layer which takes "guest_domain-id", > "device_bdf", and "guest_page" information as parameters and returns > virtual io address to guest OS. Guest OS only have very limited > knowledge/control to IOMMU. In this case, HV will allocate and update IO > page table for guest domain. > > 3) Hooking guest memory changes > No guest OS modification is needed in this approach. All we need is to > update IO page table when guest physical memory changes triggered by > domain initialization, ballooning, and grant reference mapping... > > Thanks for any comments, ideas, corrections... to this thread. I have a few patches (quite old, I need to refresh them) for doing this. I was also looking at integrating this functionality with the AMD DEV for securing accesses. This effort was mostly done with kvm+qemu in mind, but the DMA-level operations should work across any hypervisor on a PV guest. http://lkml.org/lkml/2007/11/7/125 Let me know if these patches can be helpful and I can refresh them to the newer kernels. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |