Re: [PATCH 02/37] iommu/sva: Bind process address spaces to devices

Thu, 15 Feb 2018 04:30:50 -0800 

Am 15.02.2018 um 11:21 schrieb j...@8bytes.org:

On Tue, Feb 13, 2018 at 12:57:23PM +0000, Jean-Philippe Brucker wrote:

* bind_device() fails if the device's group has more than one device,
otherwise calls __bind_device(). This prevents device drivers that are
oblivious to IOMMU groups from opening a backdoor.

* bind_group() calls __bind_device() for all devices in group. This way
users that are aware of IOMMU groups can still use them safely. Note that
at the moment bind_group() fails as soon as it finds a device that doesn't
support SVA. Having all devices support SVA in a given group is
unrealistic and this behavior ought to be improved.

Yeah, so the problem on PCI is that all functions of a multi-function
device are put into one group. For AMD-GPUs this means that the GPU
(SVA-capable) will end up in the same group as the on-GPU sound
device (not SVA-capable).
Yeah, but SVA only applies to rather new AMD-GPUs, which in turn can only do PCIe and there the problem doesn't seems to exist any more.
E.g. the audio device on my Vega10 gets a separate group despite being behind several bridges:
0b:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Vega 10 [Radeon Vega Frontier Edition] 
0b:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Device aaf8

...

[    6.362665] iommu: Adding device 0000:0b:00.0 to group 14
[    6.368468] iommu: Using direct mapping for device 0000:0b:00.0
[    6.380040] iommu: Adding device 0000:0b:00.1 to group 15


Regards,
Christian.



Before this causes us big headaches I suggest to only provide the
bind_device() function. This should be fine because for SVA we don't
need all types of isolation that iommu_groups provide.

IOMMU-groups provide two types of isolation:

        1) They group devices together which the IOMMU can't distinguish
           from each other, like PCI devices behind a PCIe bridge.

        2) Devices that can't be isolated from each other are also put
           into the same group. This is the case for multi-function PCIe
           devices as well as all PCIe devices behind a non-ACS bridge.
           But all these devices cann still be distinguished by the
           IOMMU.

These two types of protection are needed to safely assign devices to
guests, but for bare-metal SVA all we need is type 1) isolation, and
not even that if we can assume that all SVA-capable devices have an
exclusive device-id (or stream-id).



        Joerg



_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

Reply via email to