[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v5 06/14] vpci/header: implement guest BAR register handlers
On 31.01.22 15:51, Jan Beulich wrote: > On 31.01.2022 14:41, Oleksandr Andrushchenko wrote: >> On 31.01.22 15:36, Jan Beulich wrote: >>> On 31.01.2022 14:30, Oleksandr Andrushchenko wrote: >>>> On 31.01.22 13:39, Jan Beulich wrote: >>>>> On 31.01.2022 12:23, Oleksandr Andrushchenko wrote: >>>>>> On 31.01.22 13:10, Roger Pau Monné wrote: >>>>>>> Right (see my previous reply to this comment). I think it would be >>>>>>> easier (and cleaner) if you switched the default behavior regarding >>>>>>> unhandled register access for domUs at the start of the series (drop >>>>>>> writes, reads returns ~0), and then you won't need to add all those >>>>>>> dummy handler to drop writes and return ~0 for reads. >>>>>>> >>>>>>> It's going to be more work initially as you would need to support >>>>>>> passthrough of more registers, but it's the right approach that we >>>>>>> need implementation wise. >>>>>> While I agree in general, this effectively means that I'll need to >>>>>> provide >>>>>> handling for all PCIe registers and capabilities from the very start. >>>>>> Otherwise no guest be able to properly initialize a PCI device without >>>>>> that. >>>>>> Of course, we may want starting from stubs instead of proper emulation, >>>>>> which will direct the access to real HW and later on we add proper >>>>>> emulation. >>>>>> But, again, this is going to be a rather big piece of code where we need >>>>>> to explicitly handle every possible capability. >>>>> Since the two sub-threads are now about exactly the same topic, I'm >>>>> answering here instead of there. >>>>> >>>>> No, you are not going to need to emulate all possible capabilities. >>>>> We (or really qemu) don't do this on x86 either. Certain capabilities >>>>> may be a must, but not everything. There are also device specific >>>>> registers not covered by any capability structures - what to do with >>>>> those is even more of a question. >>>>> >>>>> Furthermore for some of the fields justification why access to the >>>>> raw hardware value is fine is going to be easy: r/o fields like >>>>> vendor and device ID, for example. But every bit you allow direct >>>>> access to needs to come with justification. >>>>> >>>>>> At the moment we are not going to claim that vPCI provides all means to >>>>>> pass through a PCI device safely with this respect and this is why the >>>>>> feature >>>>>> itself won't even be a tech preview yet. For that reason I think we can >>>>>> still >>>>>> have implemented only crucial set of handlers and still allow the rest to >>>>>> be read/write directly without emulation. >>>>> I think you need to separate what you need for development from what >>>>> goes upstream: For dev purposes you can very well invert the policy >>>>> from white- to black-listing. But if we accepted the latter into the >>>>> main tree, the risk would be there that something gets missed at the >>>>> time where the permission model gets changed around. >>>>> >>>>> You could even have a non-default mode operating the way you want it >>>>> (along the lines of pciback's permissive mode), allowing you to get >>>>> away without needing to carry private patches. Things may also >>>>> initially only work in that mode. But the default should be a mode >>>>> which is secure (and which perhaps initially offers only very limited >>>>> functionality). >>>> Ok, so to make it clear: >>>> 1. We do not allow unhandled access for guests: for that I will create a >>>> dedicated patch which will implement such restrictions. Something like >>>> the below (for both vPCI read and write): >>>> >>>> diff --git a/xen/drivers/vpci/vpci.c b/xen/drivers/vpci/vpci.c >>>> index c5e67491c24f..9ef2a1b5af58 100644 >>>> --- a/xen/drivers/vpci/vpci.c >>>> +++ b/xen/drivers/vpci/vpci.c >>>> @@ -347,6 +347,7 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, >>>> unsigned int size) >>>> const struct vpci_register *r; >>>> unsigned int data_offset = 0; >>>> uint32_t data = ~(uint32_t)0; >>>> + bool handled = false; >>>> >>>> if ( !size ) >>>> { >>>> @@ -405,6 +406,8 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, >>>> unsigned int size) >>>> if ( cmp > 0 ) >>>> continue; >>>> >>>> + handled = true; /* Found the handler for this access. */ >>>> + >>>> if ( emu.offset < r->offset ) >>>> { >>>> /* Heading gap, read partial content from hardware. */ >>>> @@ -432,6 +435,10 @@ uint32_t vpci_read(pci_sbdf_t sbdf, unsigned int reg, >>>> unsigned int size) >>>> } >>>> spin_unlock(&pdev->vpci_lock); >>>> >>>> + /* All unhandled guest requests return all 1's. */ >>>> + if ( !is_hardware_domain(d) && !handled ) >>>> + return ~(uint32_t)0; >>>> + >>>> if ( data_offset < size ) >>>> { >>>> /* Tailing gap, read the remaining. */ >>> Except that like for the "tailing gap" you also need to avoid the >>> "heading gap" ending up in a read of the underlying hardware >>> register. Effectively you want to deal properly with all >>> vpci_read_hw() invocations (including the one when no pdev was >>> found, which for a DomU may simply mean domain_crash()). >> Yes. And with the above patch I can now remove the "TODO patch" then? >> Because it is saying that we allow access to the registers, but it is not >> safe. >> And now, if we disable that access, then TODO should be about the need to >> implement emulation for all the registers which are not yet handled which is >> obvious. > Yes, I think that other patch then should have no use anymore. (To be > honest I don't recall such a patch anyway.) This is "[PATCH v5 14/14] vpci: add TODO for the registers not explicitly handled" in this series > > Jan > Thank you, Oleksandr
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |