Thread (29 messages) 29 messages, 4 authors, 2021-12-08

RE: [PATCH RFC v2] vfio: Documentation for the migration region

From: Shameerali Kolothum Thodi <hidden>
Date: 2021-12-01 09:54:33
Also in: kvm 

-----Original Message-----
From: Jason Gunthorpe [mailto:jgg@nvidia.com]
Sent: 01 December 2021 03:14
To: Alex Williamson <redacted>
Cc: Jonathan Corbet <corbet@lwn.net>; linux-doc@vger.kernel.org; Cornelia
Huck [off-list ref]; kvm@vger.kernel.org; Kirti Wankhede
[off-list ref]; Max Gurtovoy [off-list ref];
Shameerali Kolothum Thodi [off-list ref]; Yishai
Hadas [off-list ref]
Subject: Re: [PATCH RFC v2] vfio: Documentation for the migration region

On Tue, Nov 30, 2021 at 03:35:41PM -0700, Alex Williamson wrote:

quoted
quoted
From what HNS said the device driver would have to trap every MMIO to
implement NDMA as it must prevent touches to the physical HW MMIO to
maintain the NDMA state.

The issue is that the HW migration registers can stop processing the
queue and thus enter NDMA but a MMIO touch can resume queue
processing, so NDMA cannot be sustained.

Trapping every MMIO would have a huge negative performance impact.
So
quoted
quoted
it doesn't make sense to do so for a device that is not intended to be
used in any situation where NDMA is required.
But migration is a cooperative activity with userspace.  If necessary
we can impose a requirement that mmap access to regions (other than the
migration region itself) are dropped when we're in the NDMA or !RUNNING
device_state.
It is always NDMA|RUNNING, so we can't fully drop access to
MMIO. Userspace would have to transfer from direct MMIO to
trapping. With enough new kernel infrastructure and qemu support it
could be done.
As far as our devices are concerned we put the dev queue into a PAUSE state
in the !RUNNUNG state. And since we don't have any P2P support, is it ok
to put the onus on userspace here that it won't try to access the MMIO during
!RUNNUNG state?

So just to make it clear , if a device declares that it doesn't support NDMA
and P2P, is the v1 version of the spec good enough or we still need to take
care the case that a malicious user might try MMIO access in !RUNNING
state and should have kernel infrastructure in place to safe guard that?

Even so, we can't trap accesses through the IOMMU so such a scheme
would still require removing IOMMU acess to the device. Given that the
basic qemu mitigation for no NDMA support is to eliminate P2P cases by
removing the IOMMU mappings this doesn't seem to advance anything and
only creates complexity.

At least I'm not going to insist that hns do all kinds of work like
this for a edge case they don't care about as a precondition to get a
migration driver.
Yes. That's our concern too.

(Just a note to clarify that these are not HNS devices per se. HNS actually
stands for HiSilicon Network Subsystem and doesn't currently have live
migration capability. The devices capable of live migration are HiSilicon
Accelerator devices).

Thanks,
Shameer
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help