Xen project Mailing List

Re: [PATCH v2 06/18] IOMMU/x86: restrict IO-APIC mappings for PV Dom0

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 1 Dec 2021 10:27:21 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QkYb3HDaBJPuwzu7h5/sWyxPwJvQ/HUMoV5E7AoR/6U=; b=Oa1cFtovIWPEaASdyy3YgVkX8ln5Ujphb2xuh76Ux6HctiCPX9Hwf5EISK1t6LwsSC6ZN2dCg+ABQYWfzV0P6cDK5ucHcGF+cD5yZTcNDJCgw/TIAqedXhl8ipHhGqYGbOYwrQYcvgaEXHPEKdXWn7BOa+7lO7vnvgT05HTiAysBjhHqPdVW8BVwHcQDcml4t6gAYX5bvkLNfL4sHgVfuDnEJ7k52XbSU845v9X+im726t/GTTnDd1LJd3sEFsuP6w/Ltu06U6Q56wj1I8we2ilnuybUoXsaKncsoL2Q9rC5PI21Z8KHbycq2vOuj+GB7v0Xf3y5dyTyCDF5fiaizA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fyuvMNuchfejCTJb1Io9CJly7lc3BsbiIAo+MbQpYgM9gJ+QounE+Ni2ZuhX6TlHFMCFkCl1iY43+YDYDkdY9GADzfLwSPF0qdpZdDl9Kew8OyNva8x8I9bcwoDK1K5a+0kTF3XU3q+ARbYVo/D0PHvuZh/bSkqa0/b2Co4pnNZJh00s69+3n0O9Ot8tvKSt9yt9f9YDxMczjnqbsfRcFDqwZPExdd8qX8im8tjJQWbppUdmJ6def3M14q3iYtyJFLSC9xTmwQqJLlTfrqsyOoYLiOc5/YaDGICBH/0nZktFt3uGcCf/2siabjNlshcx5MqLHHg6lY3CebkCvA7Nng==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>

Delivery-date: Wed, 01 Dec 2021 09:27:53 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01.12.2021 10:09, Roger Pau Monné wrote: > On Fri, Sep 24, 2021 at 11:46:57AM +0200, Jan Beulich wrote: >> @@ -267,44 +267,60 @@ static bool __hwdom_init hwdom_iommu_map >> * that fall in unusable ranges for PV Dom0. >> */ >> if ( (pfn > max_pfn && !mfn_valid(mfn)) || xen_in_range(pfn) ) >> - return false; >> + return 0; >> >> switch ( type = page_get_ram_type(mfn) ) >> { >> case RAM_TYPE_UNUSABLE: >> - return false; >> + return 0; >> >> case RAM_TYPE_CONVENTIONAL: >> if ( iommu_hwdom_strict ) >> - return false; >> + return 0; >> break; >> >> default: >> if ( type & RAM_TYPE_RESERVED ) >> { >> if ( !iommu_hwdom_inclusive && !iommu_hwdom_reserved ) >> - return false; >> + perms = 0; >> } >> - else if ( is_hvm_domain(d) || !iommu_hwdom_inclusive || pfn > >> max_pfn ) >> - return false; >> + else if ( is_hvm_domain(d) ) >> + return 0; >> + else if ( !iommu_hwdom_inclusive || pfn > max_pfn ) >> + perms = 0; > > I'm confused about the reason to set perms = 0 instead of just > returning here. AFAICT perms won't be set to any other value below, > so you might as well just return 0. This is so that ... >> } >> >> /* Check that it doesn't overlap with the Interrupt Address Range. */ >> if ( pfn >= 0xfee00 && pfn <= 0xfeeff ) >> - return false; >> + return 0; >> /* ... or the IO-APIC */ >> - for ( i = 0; has_vioapic(d) && i < d->arch.hvm.nr_vioapics; i++ ) >> - if ( pfn == PFN_DOWN(domain_vioapic(d, i)->base_address) ) >> - return false; >> + if ( has_vioapic(d) ) >> + { >> + for ( i = 0; i < d->arch.hvm.nr_vioapics; i++ ) >> + if ( pfn == PFN_DOWN(domain_vioapic(d, i)->base_address) ) >> + return 0; >> + } >> + else if ( is_pv_domain(d) ) >> + { >> + /* >> + * Be consistent with CPU mappings: Dom0 is permitted to establish >> r/o >> + * ones there, so it should also have such established for IOMMUs. >> + */ >> + for ( i = 0; i < nr_ioapics; i++ ) >> + if ( pfn == PFN_DOWN(mp_ioapics[i].mpc_apicaddr) ) >> + return rangeset_contains_singleton(mmio_ro_ranges, pfn) >> + ? IOMMUF_readable : 0; >> + } ... this return, as per the comment, takes precedence over returning zero. > Note that the emulated vIO-APICs are mapped over the real ones (ie: > using the same base addresses), and hence both loops will end up using > the same regions. I would rather keep them separated anyway, just in > case we decide to somehow change the position of the emulated ones in > the future. Yes - I don't think we should bake any such assumption into the code here. >> @@ -346,15 +362,19 @@ void __hwdom_init arch_iommu_hwdom_init( >> for ( ; i < top; i++ ) >> { >> unsigned long pfn = pdx_to_pfn(i); >> + unsigned int perms = hwdom_iommu_map(d, pfn, max_pfn); >> int rc; >> >> - if ( !hwdom_iommu_map(d, pfn, max_pfn) ) >> + if ( !perms ) >> rc = 0; >> else if ( paging_mode_translate(d) ) >> - rc = set_identity_p2m_entry(d, pfn, p2m_access_rw, 0); >> + rc = set_identity_p2m_entry(d, pfn, >> + perms & IOMMUF_writable ? >> p2m_access_rw >> + : >> p2m_access_r, >> + 0); >> else >> rc = iommu_map(d, _dfn(pfn), _mfn(pfn), 1ul << PAGE_ORDER_4K, >> - IOMMUF_readable | IOMMUF_writable, &flush_flags); >> + perms, &flush_flags); > > You could just call set_identity_p2m_entry uniformly here. It will > DTRT for non-translated guests also, and then hwdom_iommu_map could > perhaps return a p2m_access_t? That's an orthogonal change imo, i.e. could be done as a prereq change, but I'd prefer to leave it as is for now. Furthermore see "x86/mm: split set_identity_p2m_entry() into PV and HVM parts": In v2 I'm now also adjusting the code here (and vpci_make_msix_hole()) to call the translated-only function. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.