[PATCH kernel] powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains
Alexey Kardashevskiy
aik at ozlabs.ru
Fri Jul 8 23:10:07 AEST 2022
On 08/07/2022 21:55, Jason Gunthorpe wrote:
> On Fri, Jul 08, 2022 at 04:34:55PM +1000, Alexey Kardashevskiy wrote:
>
>> For now I'll add a comment in spapr_tce_iommu_attach_dev() that it is fine
>> to do nothing as tce_iommu_take_ownership() and
>> tce_iommu_take_ownership_ddw() take care of not having active DMA mappings.
>
> That will still cause a security problem because
> tce_iommu_take_ownership()/etc are called too late. This is the moment
> in the flow when the ownershift must change away from the DMA API that
> power implements and to VFIO, not later.
It is getting better and better :)
On POWERNV, at the boot time the platforms sets up PHBs, enables bypass,
creates groups and attaches devices. As for now attaching devices to the
default domain (which is BLOCKED) fails the not-being-use check as
enabled bypass means "everything is mapped for DMA". So at this point
the default domain has to be IOMMU_DOMAIN_IDENTITY or
IOMMU_DOMAIN_UNMANAGED so later on VFIO can move devices to
IOMMU_DOMAIN_BLOCKED. Am I missing something?
>
> Jason
--
Alexey
More information about the Linuxppc-dev
mailing list