Xen project Mailing List

Re: [RFC PATCH v2] iommu/xen: Add Xen PV-IOMMU driver

To: Teddy Astie <teddy.astie@xxxxxxxxxx>

From: Jason Gunthorpe <jgg@xxxxxxxx>

Date: Mon, 24 Jun 2024 13:32:54 -0300

Cc: Robin Murphy <robin.murphy@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, iommu@xxxxxxxxxxxxxxx, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, Joerg Roedel <joro@xxxxxxxxxx>, Will Deacon <will@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 24 Jun 2024 16:33:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jun 24, 2024 at 02:36:45PM +0000, Teddy Astie wrote: > >> +bool xen_iommu_capable(struct device *dev, enum iommu_cap cap) > >> +{ > >> + switch (cap) { > >> + case IOMMU_CAP_CACHE_COHERENCY: > >> + return true; > > > > Will the PV-IOMMU only ever be exposed on hardware where that really is > > always true? > > > > On the hypervisor side, the PV-IOMMU interface always implicitely flush > the IOMMU hardware on map/unmap operation, so at the end of the > hypercall, the cache should be always coherent IMO. Cache coherency is a property of the underlying IOMMU HW and reflects the ability to prevent generating transactions that would bypass the cache. On AMD and Intel IOMMU HW this maps to a bit in their PTEs that must always be set to claim this capability. No ARM SMMU supports it yet. If you imagine supporting ARM someday then this can't be a fixed true. > Unmap failing should be exceptionnal, but is possible e.g with > transparent superpages (like Xen IOMMU drivers do). Xen drivers folds > appropriate contiguous mappings into superpages entries to optimize > memory usage and iotlb. However, if you unmap in the middle of a region > covered by a superpage entry, this is no longer a valid superpage entry, > and you need to allocate and fill the lower levels, which is faillible > if lacking memory. This doesn't seem necessary. From an IOMMU perspective the contract is that whatever gets mapped must be wholly unmapped and the unmap cannot fail. Failing to unmap causes big problems for iommufd and vfio as it is about to free to the memory underlying the maps. Nothing good will happen after this. An implementation should rely on the core code to provide the contiguous ranges and not attempt to combine mappings across two map_pages() calls. If it does this it can refuse to unmap a slice of a superpage, and thus it never has to allocate memory during unmap. > While mapping on top of another mapping is ok for us (it's just going to > override the previous mapping), I definetely agree that having the > address space messed up is not good. Technically map_pages should fail if it is already populated, but nothing should ever do that. Jason

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.