[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] DomD: passthroughing an arbitrary device



sorry, pressed send too fast
On 10/04/2017 09:02 PM, Oleksandr Andrushchenko wrote:

On 10/04/2017 08:22 PM, Julien Grall wrote:


On 04/10/17 17:32, Oleksandr Andrushchenko wrote:
Hi, all!

Hello,

We have a use-case where we want to passthrough and arbitrary device to driver domain,
e.g. GPIO controller or the like (doesn't do any DMA).

I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong.

you are right, sorry for not being precise enough
I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t
passthrough its IRQ.

I guess you are saying that when you use "dtdev" it will deny guest creation.

at least I used/experimented with dtdev as of now and didn't think it is possible not to fill in dtdev's,
but still request IRQs
At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios".

ah, good to know,
could you please confirm that my understanding is correct:
if I put "xen,passthrough" property in guest's device tree node which has IRQ(s) and/or MMIO range(s)
it is enough to get that "passive" device passed through?

should be
If "xen,passthrough" property in a Dom0 device tree node *together* with IRQ(s) and MMIO range(s)
in a *guest config* file is enough to get "passive" device passed through
If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing.

as they say "the best documentation is the source code itself", I should have looked more careful

Possible solutions I see could be:

1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU
protected and writing/reading arbitrary memory then.

2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and
allow passing devices without IOMMU.
Q: What if we need to pass this device to DomU?

3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t
solve the problem with memory protection.

I'm hoping to hear any possible solutions/suggestions which will not break security and allow
passing devices at the same time.

Cheers,

Thank you,
Oleksandr


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.