Xen project Mailing List

Re: Serious AMD-Vi(?) issue

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Elliott Mitchell <ehem+xen@xxxxxxx>

Date: Mon, 13 May 2024 13:11:33 -0700

Cc: Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Kelly Choi <kelly.choi@xxxxxxxxx>

Delivery-date: Mon, 13 May 2024 20:12:09 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, May 13, 2024 at 10:44:59AM +0200, Roger Pau Monné wrote: > On Fri, May 10, 2024 at 09:09:54PM -0700, Elliott Mitchell wrote: > > On Thu, Apr 18, 2024 at 09:33:31PM -0700, Elliott Mitchell wrote: > > > > > > I suspect this is a case of there is some step which is missing from > > > Xen's IOMMU handling. Perhaps something which Linux does during an early > > > DMA setup stage, but the current Xen implementation does lazily? > > > Alternatively some flag setting or missing step? > > > > > > I should be able to do another test approach in a few weeks, but I would > > > love if something could be found sooner. > > > > Turned out to be disturbingly easy to get the first entry when it > > happened. Didn't even need `dbench`, it simply showed once the OS was > > fully loaded. I did get some additional data points. > > > > Appears this requires an AMD IOMMUv2. A test system with known > > functioning AMD IOMMUv1 didn't display the issue at all. > > > > (XEN) AMD-Vi: IO_PAGE_FAULT: DDDD:bb:dd.f d0 addr fffffffdf8000000 flags > > 0x8 I > > I would expect the address field to contain more information about the > fault, but I'm not finding any information on the AMD-Vi specification > apart from that it contains the DVA, which makes no sense when the > fault is caused by an interrupt. > > > (XEN) DDDD:bb:dd.f root @ 83b5f5 (3 levels) dfn=fffffffdf8000 > > (XEN) L3[1f7] = 0 np > > Attempting to print the page table walk for an Interrupt remapping > fault is useless, we should likely avoid that when the I flag is set. > > I find it surprising this required "iommu=debug" to get this level of > > detail. This amount of output seems more appropriate for "verbose". > > "verbose" should also print this information. Mostly I've noticed Xen's dmesg seems a bit sparse at default settings. Confirming IOMMU was recognized and operational had been a challenge. On the flip side this does mean less potentially sensitive data gets in. > > I strongly prefer to provide snippets. There is a fair bit of output, > > I'm unsure which portion is most pertinent. > > I've already voiced my concern that I think what yo uare doing is not > fair. We are debugging this out of interest, and hence you refusing > to provide all information just hampers our ability to debug, and > makes us spend more time than required just thinking what snippets we > need to ask for. > > I will ask again, what's there in the Xen or the Linux dmesgs that you > are so worried about leaking? Please provide an specific example. I cannot point to specific data in Xen's dmesg which is known to be sensitive. On the flip side all the addresses could readily function as a subliminal channel. Might only be kernels from certain vendors, but hardware serial numbers frequently make it into Linux's dmesg. All the data coming from ACPI tables could readily hide something. Worse, data which seems harmless now might later turn out to reveal things. The usual approach is everyone has PGP keys and logs are kept private on request. > Why do you mask the device SBDF in the above snippet? I would really > like to understand what's so privacy relevant in a PCI SBDF number. I doubt it reveals much. Simply seems unlikely to help debugging and therefore I prefer to mask it. One more Xen dmesg line: (XEN) AMD-Vi: Setup I/O page table: device id = 0xbbdd, type = 0x1, root table = 0xADDRADDR, domain = 0, paging mode = 3 > Does booting with `iommu=no-intremap` lead to any issues being > reported? I'll try that next time I restart the system. Another viable approach. I imagine one or more of the Xen developers have computers with AMD processors. I could send a pair of SATA devices which are known to exhibit the behavior to someone. The known reproductions have featured ASUS motherboards. I doubt this is a requirement, but if one of the main developers has such a system that is a better target. I also note these are plugged into motherboard SATA ports. It is possible add-on card SATA ports might not exhibit the behavior. Then you may discover not much log data is being provided simply due to not much log data being generated. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sigmsg@xxxxxxx PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445

Follow-Ups:

Re: Serious AMD-Vi(?) issue
- From: Jan Beulich

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.