| Message ID | 20170807195713.10963-3-jonathan.derrick@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Delegated to: | Bjorn Helgaas |
| Headers | show |
Hi Robin, thanks for the reply. On 08/11/2017 12:25 PM, Robin Murphy wrote: > On 07/08/17 20:57, Jon Derrick wrote: >> VMD child devices must use the VMD endpoint's ID as the DMA source. >> Because of this, there needs to be a way to link the parent VMD >> endpoint's DMAR domain to the VMD child devices' DMAR domain such that >> attaching and detaching child devices modify the endpoint's DMAR mapping >> and prevents early detaching. > > That sounds like either pci_device_group() needs modifying, or perhaps > that intel-iommu needs its own extended iommu_ops::device_group > implementation, to ensure that VMD child devices get put in the same > group as their parent - if they share requester IDs they can't feasibly > be attached to different domains anyway. > > Robin. Yes it seems like that to me too. I have a high-level understanding of the changes required but not too much in the nitty-gritty details. It's a bit more complicated anyways because VMD emerges a set of root ports, and AFAICT, PCI ACS end at the root ports and iommu groups rely on ACS to group devices. Either way it's not within the scope of VMD.
On Mon, Aug 07, 2017 at 01:57:13PM -0600, Jon Derrick wrote: > VMD child devices must use the VMD endpoint's ID as the DMA source. > Because of this, there needs to be a way to link the parent VMD > endpoint's DMAR domain to the VMD child devices' DMAR domain such that > attaching and detaching child devices modify the endpoint's DMAR mapping > and prevents early detaching. > > This is outside the scope of VMD, so disable binding child devices to > prevent unforeseen issues. This functionality may be implemented in the > future. > > This patch prevents VMD child devices from returning an IOMMU, which > prevents it from exposing iommu_group sysfs directories and subsequent > binding by userspace-access drivers such as VFIO. > > Signed-off-by: Jon Derrick <jonathan.derrick@intel.com> > --- > drivers/iommu/intel-iommu.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c > index 687f18f..651a6cd 100644 > --- a/drivers/iommu/intel-iommu.c > +++ b/drivers/iommu/intel-iommu.c > @@ -905,6 +905,11 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf > * the PF instead to find the IOMMU. */ > pf_pdev = pci_physfn(pdev); > dev = &pf_pdev->dev; > + > + /* VMD child devices currently cannot be handled individually */ > + if (pci_bus_is_vmd(pdev->bus)) Aah, this is the bigger reason why you want a general "is VMD" thing. But this is still basically x86-specific code (I do see the ia64 in Kconfig, so I guess maybe ia64 as well). But pci_bus_is_vmd() doesn't feel like a generally useful concept. I see why you need things like this quirk, but it's not clear what useful things other code could do with pci_bus_is_vmd() because we don't have a generic concept of how VMD buses are different than other PCI buses. > + return NULL; > + > segment = pci_domain_nr(pdev->bus); > } else if (has_acpi_companion(dev)) > dev = &ACPI_COMPANION(dev)->dev; > -- > 2.9.4 >
On 07/08/17 20:57, Jon Derrick wrote: > VMD child devices must use the VMD endpoint's ID as the DMA source. > Because of this, there needs to be a way to link the parent VMD > endpoint's DMAR domain to the VMD child devices' DMAR domain such that > attaching and detaching child devices modify the endpoint's DMAR mapping > and prevents early detaching. That sounds like either pci_device_group() needs modifying, or perhaps that intel-iommu needs its own extended iommu_ops::device_group implementation, to ensure that VMD child devices get put in the same group as their parent - if they share requester IDs they can't feasibly be attached to different domains anyway. Robin. > This is outside the scope of VMD, so disable binding child devices to > prevent unforeseen issues. This functionality may be implemented in the > future. > > This patch prevents VMD child devices from returning an IOMMU, which > prevents it from exposing iommu_group sysfs directories and subsequent > binding by userspace-access drivers such as VFIO. > > Signed-off-by: Jon Derrick <jonathan.derrick@intel.com> > --- > drivers/iommu/intel-iommu.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c > index 687f18f..651a6cd 100644 > --- a/drivers/iommu/intel-iommu.c > +++ b/drivers/iommu/intel-iommu.c > @@ -905,6 +905,11 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf > * the PF instead to find the IOMMU. */ > pf_pdev = pci_physfn(pdev); > dev = &pf_pdev->dev; > + > + /* VMD child devices currently cannot be handled individually */ > + if (pci_bus_is_vmd(pdev->bus)) > + return NULL; > + > segment = pci_domain_nr(pdev->bus); > } else if (has_acpi_companion(dev)) > dev = &ACPI_COMPANION(dev)->dev; >
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index 687f18f..651a6cd 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -905,6 +905,11 @@ static struct intel_iommu *device_to_iommu(struct device *dev, u8 *bus, u8 *devf * the PF instead to find the IOMMU. */ pf_pdev = pci_physfn(pdev); dev = &pf_pdev->dev; + + /* VMD child devices currently cannot be handled individually */ + if (pci_bus_is_vmd(pdev->bus)) + return NULL; + segment = pci_domain_nr(pdev->bus); } else if (has_acpi_companion(dev)) dev = &ACPI_COMPANION(dev)->dev;
VMD child devices must use the VMD endpoint's ID as the DMA source. Because of this, there needs to be a way to link the parent VMD endpoint's DMAR domain to the VMD child devices' DMAR domain such that attaching and detaching child devices modify the endpoint's DMAR mapping and prevents early detaching. This is outside the scope of VMD, so disable binding child devices to prevent unforeseen issues. This functionality may be implemented in the future. This patch prevents VMD child devices from returning an IOMMU, which prevents it from exposing iommu_group sysfs directories and subsequent binding by userspace-access drivers such as VFIO. Signed-off-by: Jon Derrick <jonathan.derrick@intel.com> --- drivers/iommu/intel-iommu.c | 5 +++++ 1 file changed, 5 insertions(+)