Re: [PATCH v2 02/23] xen/arm: smmuv3: Add support for stage-1 and nested stage translation

[Julien Grall <julien@xxxxxxx>]

Hi Bertrand,

On 11/06/2026 07:12, Bertrand Marquis wrote:
> > > This primarily targets systems where the SMMU does not support Stage-2 
> > > translation.
> > > If we decide to keep this code, I will address the associated security considerations and 
> > > document the corresponding AoU in the design. Otherwise, we can fall back to supporting 
> > > only the "nested" translation case.
> > Thanks for the feedback. I think for such setup, I would consider whether we 
> > can use the stage-1 in Xen to protect the device. AFAIK, this what Linux will 
> > do.
> >
> > I would be interested to hear what the other maintainers think.
> Giving access to the smmu to a guest means giving it a solution to access 
> whatever he wants through a DMA engine.
> This is not less secure than no SMMU at all but I would definitely think that 
> in such a case SMMU should be reserved for
> Xen to use it to protect from accessing other guests memory using DMA.
>
> Now i know that in some setups there are cases where a specific device cannot 
> be used without an SMMU (mostly GPUs
> but there might be others). In that case, the device cannot be used easily if 
> the kernel cannot use the SMMU to remap the
> memory at a convenient place for the device.
>
> We should not disallow such cases completely but we should give strong 
> recommandations when such a setup is used.
Thanks for the feedback! I think before allowing S1 without S2 we need 
to make sure it works and I am not convinced this is the case today.
Cheers,

--
Julien Grall