[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH V4] Add requirements for Device Passthrough


  • To: Oleksandr Tyshchenko <olekstysh@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>, <amd-xen-safety@xxxxxxxxx>
  • From: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>
  • Date: Mon, 8 Apr 2024 13:38:52 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=gmail.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yvV5SQCeWdgRdWuc5tGujfAp/NoKY1TrTKtUJiwNMO8=; b=ikKMDrfDTezkt8Wru579V262J6nUcDzpgDV8iVHovuG1Y6Z+aD7ztLpLrkxsY/VAOZ6OHcwy8NX7tucgr2EHwq9WFXmU98v6+pq+Qz03g/viNj1aX5YonBgY8ydpAkEweLXie6q6+cCyRbqaMtoJxyKKiQsqI8qOQN1j4PIXVfe9Um1ru4DGt3ZcKzIfduHD3Q5xI3UXqqzWdvXtkAGhKM1lGz4hnuwvLJ3HGAvAbn/IKSgXC4nDxd2xLezlf4B0S5ywFsLnCtUZ2lV3AxeufSQ+PUjRirmoEngsztWr4s9r3AV3AiAj6CKxbPlh/7AqVLIVDbf9RdFUMwpK+LRfHQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f0b7el21/ca02BMEbdsZoBsCJvfo8N/WFF1FWdhRVL1ehZio4pnBlYmdfuOqamgM8/qw6KMoEuf7FgovGMBqgbboLenHMqwl6G6DmJIom2BQk/n+NOeo7RNwxA0ctJC+dgBarQ/WWyxhCdM1qgXpCA5UeRz00WEG73n/G+TH+3VSbXx3JgUv7NnhdAp3Tm59urvs34vaP+Hx2v7CIVxaU8H5IA1jLc1HIUP4qH4uIhAB6GWIMHdo34pDOeC26YM+8Z72Yx2Fkp4/diGbMs+C7sKxjPFQzMCRQZoBryXWCqqESM5JuBwfci27DqQ3gkUr//qG9WUkEUBydySeefU2hw==
  • Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Artem Mygaiev <artem_mygaiev@xxxxxxxx>, "Ayan Kumar Halder" <ayankuma@xxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxx>, Mykola Kvach <mykola_kvach@xxxxxxxx>
  • Delivery-date: Mon, 08 Apr 2024 17:39:28 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 4/8/24 09:19, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>
> 
> Please refer to chapter "Device Passthrough":
> https://groups.io/g/amd-xen-safety/message/1300
> 
> Create corresponding directory and README file.
> 
> Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>

Two nits below. With those addressed:

Reviewed-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx>

> ---
> 
>   V2:
>    - add R-b
>    - update README
>    - lower case for platform, s/simple/non-DMA-capable, other misc
>      updates
>    - add "Allowed for the safe direct mapped VMs only"
>      to reqs for DMA-capable devices without IOMMU protection
>    - add dom0less passthrough details where needed
>    - add reqs for PCI devices discovering
> 
>   V3:
>    - move common reqs "Assign PCI device to domain (without IOMMU)" and
>      "Deassign PCI device from domain (without IOMMU)" to Arm64 only
>    - clarify the DMA-capable device assignment w/o IOMMU,
>      add more details
>    - drop R-b
> 
>   V4:
>    - add the following reqs:
>      - Assign interrupt-less platform device to domain
>      - Deassign interrupt-less platform device from domain
>      - Map platform device MMIO region identity
>      - Map platform device MMIO region non-identity
>    - add more details
>    - repeat the relevant info in all assign reqs
> ---
> ---
>  .../physical_resources/README.rst             |  16 +
>  .../physical_resources/passthrough.rst        | 477 ++++++++++++++++++
>  2 files changed, 493 insertions(+)
>  create mode 100644 domain_creation_and_runtime/physical_resources/README.rst
>  create mode 100644 
> domain_creation_and_runtime/physical_resources/passthrough.rst
> 
> diff --git a/domain_creation_and_runtime/physical_resources/README.rst 
> b/domain_creation_and_runtime/physical_resources/README.rst
> new file mode 100644
> index 0000000..0eb4dd4
> --- /dev/null
> +++ b/domain_creation_and_runtime/physical_resources/README.rst
> @@ -0,0 +1,16 @@
> +Physical resources
> +==================
> +
> +This section lists the requirements related to physical resources directly
> +accessible from the domain as well as physical resources entirely controlled
> +by Xen and invisible to a domain. The later group of resources, although 
> being
> +invisible to a domain, has an impact on it.
> +
> +Examples of domain physical resources:
> +    | 1. PCI device
> +    | 2. Platform device
> +    | 3. MMU stage 1
> +
> +Examples of Xen physical resources:
> +    | 1. IOMMU stage 2
> +    | 2. MMU stage 2
> diff --git a/domain_creation_and_runtime/physical_resources/passthrough.rst 
> b/domain_creation_and_runtime/physical_resources/passthrough.rst
> new file mode 100644
> index 0000000..f619730
> --- /dev/null
> +++ b/domain_creation_and_runtime/physical_resources/passthrough.rst
> @@ -0,0 +1,477 @@
> +Device Passthrough
> +==================
> +
> +The following are the requirements related to a physical device
> +assignment [1], [2] to Arm64 and AMD64 PVH domains.
> +
> +Requirements for both Arm64 and AMD64 PVH
> +=========================================
> +
> +Hide IOMMU from a domain
> +------------------------
> +
> +`XenSSR~hide_iommu_from_domain~1`
> +
> +Description:
> +Xen should not expose the IOMMU device to the domain even if I/O 
> virtualization
> +is disabled. The IOMMU should be under hypervisor control only.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Discover PCI devices from hardware domain
> +-----------------------------------------
> +
> +`XenSSR~discover_pci_devices_from_hwdom~1`
> +
> +Description:
> +The hardware domain shall be able to enumerate and discover PCI devices and
> +inform Xen about their appearance and disappearance
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Discover PCI devices from Xen
> +-----------------------------
> +
> +`XenSSR~discover_pci_devices_from_xen~1`
> +
> +Description:
> +Xen shall be able to discover PCI devices (enumerated by the firmware
> +beforehand) during boot if the hardware domain is not meant to be used
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Assign PCI device to domain (with IOMMU)
> +----------------------------------------
> +
> +`XenSSR~assign_pci_device_with_iommu~1`
> +
> +Description:
> +Xen shall be able to assign a specified PCI device (always implied as
> +DMA-capable) to a domain during its creation using passthrough (partial)
> +device tree. The physical device to be assigned is protected by the IOMMU.
> +
> +Rationale:
> +
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The PCI device to be passed through is specified using device tree 
> property
> +   ("xen,pci-assigned") in the "passthrough" node described in the 
> passthrough
> +   device tree
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Deassign PCI device from domain (with IOMMU)
> +--------------------------------------------
> +
> +`XenSSR~deassign_pci_device_with_iommu~1`
> +
> +Description:
> +Xen shall be able to deassign a specified PCI device from a domain during its
> +destruction. The physical device to be deassigned is protected by the IOMMU.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Forbid the same PCI device assignment to multiple domains
> +---------------------------------------------------------
> +
> +`XenSSR~forbid_same_pci_device_assignment~1`
> +
> +Description:
> +Xen should not assign the same PCI device to multiple domains by failing
> +to create a new domain if the device to be passed through is already assigned
> +to the existing domain. Also different PCI devices which share any resources
> +(interrupts, IOMMU connections) can be assigned only to the same domain.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Requirements for Arm64 only
> +===========================
> +
> +Assign interrupt-less platform device to domain
> +-----------------------------------------------
> +
> +`XenSSR~assign_interrupt_less_platform_device~1`
> +
> +Description:
> +Xen shall be able to assign a specified platform device that has only a MMIO
> +region (does not have any interrupts) to a domain during its creation using
> +passthrough device tree.
> +The example of interrupt-less device is PWM or clock controller.
> +
> +Rationale:
> +
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The passthrough device tree should entirely describe the platform device 
> to
> +   be passed through for the domain to be able to discover and use this 
> device
> + - The intention of the platform device usage for the passthrough is 
> specified
> +   using device tree property ("xen,passthrough") in the device node 
> described
> +   in the host device tree
> + - The memory region of the platform device and corresponding guest address 
> for
> +   remapping are specified using device tree property ("xen,reg") in the 
> device
> +   node described in the passthrough device tree
> + - The allowance of the platform device assignment which is not behind an 
> IOMMU
> +   (for both non-DMA-capable and DMA-capable devices) is specified using 
> device
> +   tree property ("xen,force-assign-without-iommu") in the device node
> +   described in the passthrough device tree. The said property also allows
> +   the interrupt-less platform device assignment (a device that has only a 
> MMIO
> +   region) without specifying the corresponding node in the host device via
> +   device tree property ("xen,path").
> +   For the DMA-capable devices this property is only allowed for the direct
> +   mapped VMs with special care to be taken
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> +
> + - XenValTestCase
> +
> +Deassign interrupt-less platform device from domain
> +---------------------------------------------------
> +
> +`XenSSR~deassign_interrupt_less_platform_device~1`
> +
> +Description:
> +Xen shall be able to deassign a specified platform device that has only a 
> MMIO
> +region (does not have any interrupts) from a domain during its destruction
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Assign non-DMA-capable platform device to domain
> +------------------------------------------------
> +
> +`XenSSR~assign_non_dma_platform_device~1`
> +
> +Description:
> +Xen shall be able to assign a specified non-DMA-capable platform
> +device to a domain during its creation using passthrough device tree.
> +The example of non-DMA-capable device is Timer.
> +
> +Rationale:
> +
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The passthrough device tree should entirely describe the platform device 
> to
> +   be passed through for the domain to be able to discover and use this 
> device
> + - The intention of the platform device usage for the passthrough is 
> specified
> +   using device tree property ("xen,passthrough") in the device node 
> described
> +   in the host device tree
> + - The memory region of the platform device and corresponding guest address 
> for
> +   remapping are specified using device tree property ("xen,reg") in the 
> device
> +   node described in the passthrough device tree
> + - The path of the platform device node in the host device tree is specified
> +   using device tree property ("xen,path") in the device node described
> +   in the passthrough device tree. Both interrupt mappings and IOMMU settings
> +   are based on it
> + - The allowance of the platform device assignment which is not behind an 
> IOMMU
> +   (for both non-DMA-capable and DMA-capable devices) is specified using 
> device
> +   tree property ("xen,force-assign-without-iommu") in the device node
> +   described in the passthrough device tree. The said property also allows
> +   the interrupt-less platform device assignment (a device that has only a 
> MMIO
> +   region) without specifying the corresponding node in the host device via
> +   device tree property ("xen,path").
> +   For the DMA-capable devices this property is only allowed for the direct
> +   mapped VMs with special care to be taken
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Deassign non-DMA-capable platform device from domain
> +----------------------------------------------------
> +
> +`XenSSR~deassign_non_dma_platform_device~1`
> +
> +Description:
> +Xen shall be able to deassign a specified non-DMA-capable platform
> +device from a domain during its destruction
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Assign DMA-capable platform device to domain (with IOMMU)
> +---------------------------------------------------------
> +
> +`XenSSR~assign_dma_platform_device_with_iommu~1`
> +
> +Description:
> +Xen shall be able to assign a specified DMA-capable platform device to a 
> domain
> +during its creation using passthrough device tree. The physical device to be
> +assigned is protected by the IOMMU.
> +
> +Rationale:
> +
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The passthrough device tree should entirely describe the platform device 
> to
> +   be passed through for the domain to be able to discover and use this 
> device
> + - The intention of the platform device usage for the passthrough is 
> specified
> +   using device tree property ("xen,passthrough") in the device node 
> described
> +   in the host device tree
> + - The memory region of the platform device and corresponding guest address 
> for
> +   remapping are specified using device tree property ("xen,reg") in the 
> device
> +   node described in the passthrough device tree
> + - The path of the platform device node in the host device tree is specified
> +   using device tree property ("xen,path") in the device node described
> +   in the passthrough device tree. Both interrupt mappings and IOMMU settings
> +   are based on it
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Deassign DMA-capable platform device from domain (with IOMMU)
> +-------------------------------------------------------------
> +
> +`XenSSR~deassign_dma_platform_device_with_iommu~1`
> +
> +Description:
> +Xen shall be able to deassign a specified DMA-capable platform device from
> +a domain during its destruction. The physical device to be deassigned is
> +protected by the IOMMU.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Assign DMA-capable platform device to domain (without IOMMU)
> +------------------------------------------------------------
> +
> +`XenSSR~assign_dma_platform_device_without_iommu~1`
> +
> +Description:
> +Xen shall be able to assign a specified DMA-capable platform device to a 
> domain
> +during its creation using passthrough device tree. The physical device to be
> +assigned is not protected by the IOMMU.
> +Here and everywhere it applies, the DMA-capable device assignment which is 
> not
> +behind an IOMMU is allowed for the direct mapped VMs only. The direct mapped 
> VM
> +must be either safe or additional security mechanisms for protecting against
> +possible malicious or buggy DMA devices must be in place, e.g. Xilinx memory
> +protection unit (XMPU) and Xilinx peripheral protection unit (XPPU).
> +
> +Rationale:
> +
> + - The IOMMU is absent from the system or it is disabled (status = "disabled"
> +   in the host device tree)
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The passthrough device tree should entirely describe the platform device 
> to
> +   be passed through for the domain to be able to discover and use this 
> device
> + - The intention of the platform device usage for the passthrough is 
> specified
> +   using device tree property ("xen,passthrough") in the device node 
> described
> +   in the host device tree
> + - The memory region of the platform device and corresponding guest address 
> for
> +   remapping are specified using device tree property ("xen,reg") in the 
> device
> +   node described in the passthrough device tree
> + - The path of the platform device node in the host device tree is specified
> +   using device tree property ("xen,path") in the device node described
> +   in the passthrough device tree. Both interrupt mappings and IOMMU settings
> +   are based on it
> + - The allowance of the platform device assignment which is not behind an 
> IOMMU
> +   (for both non-DMA-capable and DMA-capable devices) is specified using 
> device
> +   tree property ("xen,force-assign-without-iommu") in the device node
> +   described in the passthrough device tree. The said property also allows
> +   the interrupt-less platform device assignment (a device that has only a 
> MMIO
> +   region) without specifying the corresponding node in the host device via
> +   device tree property ("xen,path").
> +   For the DMA-capable devices this property is only allowed for the direct
> +   mapped VMs with special care to be taken
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Deassign DMA-capable platform device from domain (without IOMMU)
> +----------------------------------------------------------------
> +
> +`XenSSR~deassign_dma_platform_device_without_iommu~1`
> +
> +Description:
> +Xen shall be able to deassign a specified DMA-capable platform device from
> +a domain during its destruction. The physical device to be deassigned is not
> +protected by the IOMMU.
> +
> +Rationale:
> +The IOMMU is absent from the system or it is disabled (status = "disabled"
> +in the host device tree)
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Map platform device MMIO region identity
> +----------------------------------------
> +
> +`XenSSR~map_platform_device_mmio_region_ident~1`
> +
> +Description:
> +Xen shall be able to map platform device memory region identity
> +(guest address == physical address) when assigning a specified platform
> +device to a domain. The device can be either non-DMA-capable or DMA-capable.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Map platform device MMIO region non-identity
> +--------------------------------------------
> +
> +`XenSSR~map_platform_device_mmio_region_non_ident~1`
> +
> +Description:
> +Xen shall be able to map platform device memory region non-identity
> +(guest address != physical address) when assigning a specified platform
> +device to a domain. The device can be either non-DMA-capable or DMA-capable.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Assign PCI device to domain (without IOMMU)
> +-------------------------------------------
> +
> +`XenSSR~assign_pci_device_without_iommu~1`
> +
> +Description:
> +Xen shall be able to assign a specified PCI device to a domain during its
> +creation using passthrough device tree. The physical device to be assigned
> +is not protected by the IOMMU.

Nit: The same limitation as the platform device applies here too: it is
allowed for direct mapped VMs only. You do mention "... and everywhere
it applies ..." above, so I guess that covers it here as well.
Regardless, I think it would be clearer to mention it here too, so we
don't have to imply from the context of another requirement.

> +
> +Rationale:
> +
> + - The IOMMU is absent from the system or it is disabled (status = "disabled"
> +   in the host device tree)
> + - The passthrough device tree is specified using a device tree module node
> +   with compatible ("multiboot,device-tree") in the host device tree
> + - The PCI device to be passed through is specified using device tree 
> property
> +   ("xen,pci-assigned") in the "passthrough" node described in the 
> passthrough
> +   device tree
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Deassign PCI device from domain (without IOMMU)
> +-----------------------------------------------
> +
> +`XenSSR~deassign_pci_device_without_iommu~1`
> +
> +Description:
> +Xen shall be able to deassign a specified PCI device from a domain during its
> +destruction. The physical device to be deassigned is not protected
> +by the IOMMU.
> +
> +Rationale:
> +The IOMMU is absent from the system or it is disabled (status = "disabled"
> +in the host device tree)
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Forbid the same platform device assignment to multiple domains
> +--------------------------------------------------------------
> +
> +`XenSSR~forbid_same_platform_device_assignment~1`
> +
> +Description:
> +Xen should not assign the same platform device to multiple domains by failing
> +to create a new domain if the device to be passed through is already assigned
> +to the existing domain. Also, different platform devices which share any
> +resources (interrupts, IOMMU connections) can be assigned only to the same
> +domain.
> +
> +Rationale:
> +
> +Covers:
> + - `XenPRQ~device_passthrough~1`
> +
> +Needs:
> + - XenValTestCase
> +
> +Notes
> +=====
> +
> +The AMD64 PVH-specific requirements are written under the assumption that 
> once
> +the hyperlaunch feature is completed, Xen shall be able to assign a PCI 
> device
> +to started at boot time domains.

Nit: The grammar here looks odd. How about "... assign a PCI device to
boot time domains." ?

> This is not the case today, where the PCI
> +device can be passed through only to domains launched by a control 
> (toolstack)
> +domain.
> +
> +The Arm64-specific requirements are written under the assumption that once
> +the dom0less PCI Passthrough feature is completed, Xen shall be able to 
> assign
> +a PCI device to started at boot time domains.

Similarly here.

> This is not the case today,
> +where only the platform device Passthrough is supported.
> +
> +| [1] 
> https://xenbits.xenproject.org/gitweb/?p=xen.git;a=blob;f=docs/misc/arm/passthrough.txt;hb=HEAD
> +| [2] 
> https://xenbits.xenproject.org/gitweb/?p=xen.git;a=blob;f=docs/misc/arm/passthrough-noiommu.txt;hb=HEAD




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.