Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted
From: Michael S. Tsirkin
Date: Sun Aug 11 2019 - 04:13:05 EST
On Sat, Aug 10, 2019 at 03:07:02PM -0700, Ram Pai wrote:
> On Sat, Aug 10, 2019 at 02:57:17PM -0400, Michael S. Tsirkin wrote:
> > On Tue, Jan 29, 2019 at 03:08:12PM -0200, Thiago Jung Bauermann wrote:
> > >
> > > Hello,
> > >
> > > With Christoph's rework of the DMA API that recently landed, the patch
> > > below is the only change needed in virtio to make it work in a POWER
> > > secure guest under the ultravisor.
> > >
> > > The other change we need (making sure the device's dma_map_ops is NULL
> > > so that the dma-direct/swiotlb code is used) can be made in
> > > powerpc-specific code.
> > >
> > > Of course, I also have patches (soon to be posted as RFC) which hook up
> > > <linux/mem_encrypt.h> to the powerpc secure guest support code.
> > >
> > > What do you think?
> > >
> > > >From d0629a36a75c678b4a72b853f8f7f8c17eedd6b3 Mon Sep 17 00:00:00 2001
> > > From: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx>
> > > Date: Thu, 24 Jan 2019 22:08:02 -0200
> > > Subject: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted
> > >
> > > The host can't access the guest memory when it's encrypted, so using
> > > regular memory pages for the ring isn't an option. Go through the DMA API.
> > >
> > > Signed-off-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxx>
> > > ---
> > > drivers/virtio/virtio_ring.c | 5 ++++-
> > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> > > index cd7e755484e3..321a27075380 100644
> > > --- a/drivers/virtio/virtio_ring.c
> > > +++ b/drivers/virtio/virtio_ring.c
> > > @@ -259,8 +259,11 @@ static bool vring_use_dma_api(struct virtio_device *vdev)
> > > * not work without an even larger kludge. Instead, enable
> > > * the DMA API if we're a Xen guest, which at least allows
> > > * all of the sensible Xen configurations to work correctly.
> > > + *
> > > + * Also, if guest memory is encrypted the host can't access
> > > + * it directly. In this case, we'll need to use the DMA API.
> > > */
> > > - if (xen_domain())
> > > + if (xen_domain() || sev_active())
> > > return true;
> > >
> > > return false;
> >
> > So I gave this lots of thought, and I'm coming round to
> > basically accepting something very similar to this patch.
> >
> > But not exactly like this :).
> >
> > Let's see what are the requirements.
> >
> > If
> >
> > 1. We do not trust the device (so we want to use a bounce buffer with it)
> > 2. DMA address is also a physical address of a buffer
> >
> > then we should use DMA API with virtio.
> >
> >
> > sev_active() above is one way to put (1). I can't say I love it but
> > it's tolerable.
> >
> >
> > But we also want promise from DMA API about 2.
> >
> >
> > Without promise 2 we simply can't use DMA API with a legacy device.
> >
> >
> > Otherwise, on a SEV system with an IOMMU which isn't 1:1
> > and with a virtio device without ACCESS_PLATFORM, we are trying
> > to pass a virtual address, and devices without ACCESS_PLATFORM
> > can only access CPU physical addresses.
> >
> > So something like:
> >
> > dma_addr_is_phys_addr?
>
>
> On our Secure pseries platform, dma address is physical address and this
> proposal will help us, use DMA API.
>
> On our normal pseries platform, dma address is physical address too.
> But we do not necessarily need to use the DMA API. We can use the DMA
> API, but our handlers will do the same thing, the generic virtio handlers
> would do. If there is an opt-out option; even when dma addr is same as
> physical addr, than there will be less code duplication.
>
> Would something like this be better.
>
> (dma_addr_is_phys_addr && arch_want_to_use_dma_api()) ?
>
>
> RP
I think sev_active() is an OK replacement for arch_want_to_use_dma_api.
So just the addition of dma_addr_is_phys_addr would be enough.
>
> > --
> > MST
>
> --
> Ram Pai