Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework

From:	Scott Wood
Subject:	Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework
Date:	Tue, 15 Nov 2011 16:29:59 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2

On 11/15/2011 03:40 PM, Aaron Fabbri wrote:
> 
> 
> 
> On 11/15/11 12:10 PM, "Scott Wood" <address@hidden> wrote:
> 
>> On 11/15/2011 12:34 AM, David Gibson wrote:
> <snip> 
>>>> +static int allow_unsafe_intrs;
>>>> +module_param(allow_unsafe_intrs, int, 0);
>>>> +MODULE_PARM_DESC(allow_unsafe_intrs,
>>>> +        "Allow use of IOMMUs which do not support interrupt remapping");
>>>
>>> This should not be a global option, but part of the AMD/Intel IOMMU
>>> specific code.  In general it's a question of how strict the IOMMU
>>> driver is about isolation when it determines what the groups are, and
>>> only the IOMMU driver can know what the possibilities are for its
>>> class of hardware.
>>
>> It's also a concern that is specific to MSIs.  In any case, I'm not sure
>> that the ability to cause a spurious IRQ is bad enough to warrant
>> disabling the entire subsystem by default on certain hardware.
> 
> I think the issue is more that the ability to create fake MSI interrupts can
> lead to bigger exploits.
> 
> Originally we didn't have this parameter. It was added it to reflect the
> fact that MSI's triggered by guests are dangerous without the isolation that
> interrupt remapping provides.
> 
> That is, it *should* be inconvenient to run without interrupt mapping HW
> support.

A sysfs knob is sufficient inconvenience.  It should only affect whether
you can use MSIs, and the relevant issue shouldn't be "has interrupt
remapping" but "is there a hole".

Some systems might address the issue in ways other than IOMMU-level MSI
translation.  Our interrupt controller provides enough separate 4K pages
for MSI interrupt delivery for each PCIe IOMMU group to get its own (we
currently only have 3, one per root complex) -- no special IOMMU feature
required.

It doesn't help that the semantics of IOMMU_CAP_INTR_REMAP are
undefined.  I shouldn't have to know how x86 IOMMUs work when
implementing a driver for different hardware, just to know what the
generic code is expecting.

As David suggests, if you want to do this it should be the x86 IOMMU
driver that has a knob that controls how it forms groups in the absence
of this support.

-Scott

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, (continued)
- Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alexey Kardashevskiy, 2011/11/28
  - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alexey Kardashevskiy, 2011/11/28
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alexey Kardashevskiy, 2011/11/28
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alex Williamson, 2011/11/28
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alex Williamson, 2011/11/29
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Stuart Yoder, 2011/11/29
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alex Williamson, 2011/11/29
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Stuart Yoder, 2011/11/30
    - Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework, Alex Williamson, 2011/11/30

Prev by Date: Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework
Next by Date: Re: [Qemu-devel] converging around a single guest agent
Previous by thread: Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework
Next by thread: Re: [Qemu-devel] [RFC PATCH] vfio: VFIO Driver core framework
Index(es):
- Date
- Thread