On 2020-06-11 05:10, Jason Wang wrote:

On 2020/6/10 下午9:11, Pierre Morel wrote:

quoted

Protected Virtualisation protects the memory of the guest and
do not allow a the host to access all of its memory.

Let's refuse a VIRTIO device which does not use IOMMU
protected access.

Signed-off-by: Pierre Morel <redacted>
---
  drivers/s390/virtio/virtio_ccw.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/drivers/s390/virtio/virtio_ccw.c 

b/drivers/s390/virtio/virtio_ccw.c
index 5730572b52cd..06ffbc96587a 100644

--- a/drivers/s390/virtio/virtio_ccw.c
+++ b/drivers/s390/virtio/virtio_ccw.c

@@ -986,6 +986,11 @@ static void virtio_ccw_set_status(struct 

virtio_device *vdev, u8 status)
      if (!ccw)
          return;
+    /* Protected Virtualisation guest needs IOMMU */
+    if (is_prot_virt_guest() &&
+        !__virtio_test_bit(vdev, VIRTIO_F_IOMMU_PLATFORM))
+            status &= ~VIRTIO_CONFIG_S_FEATURES_OK;
+
      /* Write the status to the host. */
      vcdev->dma_area->status = status;
      ccw->cmd_code = CCW_CMD_WRITE_STATUS;

I wonder whether we need move it to virtio core instead of ccw.

I think the other memory protection technologies may suffer from this as 
well.

Thanks

What would you think of the following, also taking into account Connie's 
comment on where the test should be done:

- declare a weak function in virtio.c code, returning that memory 
protection is not in use.

- overwrite the function in the arch code

- call this function inside core virtio_finalize_features() and if 
required fail if the device don't have VIRTIO_F_IOMMU_PLATFORM.

Alternative could be to test a global variable that the architecture 
would overwrite if needed but I find the weak function solution more 
flexible.

With a function, we also have the possibility to provide the device as 
argument and take actions depending it, this may answer Halil's concern.

Regards,
Pierre

-- 
Pierre Morel
IBM Lab Boeblingen