Xen project Mailing List

Re: [Xen-devel] [PATCH] iommu: leave IOMMU enabled by default during kexec crash transition

To: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, "Igor Druzhinin" <igor.druzhinin@xxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Tue, 19 Feb 2019 00:43:14 -0700

Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

Delivery-date: Tue, 19 Feb 2019 07:45:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 18.02.19 at 19:30, <andrew.cooper3@xxxxxxxxxx> wrote: > On 18/02/2019 16:21, Igor Druzhinin wrote: >> It's unsafe to disable IOMMU on a live system which is the case >> if we're crashing since remapping hardware doesn't usually know what >> to do with ongoing bus transactions and frequently raises NMI/MCE/SMI, >> etc. (depends on the firmware configuration) to signal these abnormalities. >> This, in turn, doesn't play well with kexec transition process as there is >> no any handling available at the moment for this kind of events resulting >> in failures to enter the kernel. >> >> Modern Linux kernels taught to copy all the necessary DMAR/IR tables >> following kexec from the previous kernel (Xen in our case) - so it's >> currently normal to keep IOMMU enabled. It would only require to change >> crash kernel command line by enabling IOMMU drivers from the existing users. Is this the normal option ("intel_iommu=on" in the Intel case), or rather something special? Considering that you explicitly talk about Linux here anyway, mentioning the option(s) explicitly would seem to make sense. >> An option is left for compatibility with ancient crash kernels which >> didn't like to have IOMMU active under their feet on boot. >> >> Signed-off-by: Igor Druzhinin <igor.druzhinin@xxxxxxxxxx> > > To provide a bit of extra background, it turns out that in hindsight, > turning off the IOMMU in a crash usually makes things worse rather than > better. For an unknown definition of "usually". Corrupted (IOMMU) page tables are not really an impossible crash reason. > In particular, any guest with a PCI device which happens to allocate a > DMA buffer in GFN space which matches the crash region in MFN space will > end up corrupting the crash kernel when DMA remapping gets turned off. Indeed, but that's only PVH Dom0 (unsupported as of yet) or PV Dom0 using PV IOMMU functionality (not even in tree as of yet). So the question is how applicable this change really is at this point in time. I notice it hasn't been tagged for 4.12, so please don't take this as objection to it going in - I'm only trying to better understand the implications. > Being able to boot with an IOMMU already active is becoming common, not > least because of the ongoing efforts to enforce pre-DXE DMA protection > to protect against cold-boot DMA rootkits. What about the interrupt remapping part of the IOMMU functionality? Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.