From: Jason Gunthorpe <jgg@ziepe•ca>
To: Mostafa Saleh <smostafa@google•com>
Cc: "Aneesh Kumar K.V (Arm)" <aneesh.kumar@kernel•org>,
iommu@lists•linux.dev, linux-arm-kernel@lists•infradead.org,
linux-kernel@vger•kernel.org, linux-coco@lists•linux.dev,
Robin Murphy <robin.murphy@arm•com>,
Marek Szyprowski <m.szyprowski@samsung•com>,
Will Deacon <will@kernel•org>, Marc Zyngier <maz@kernel•org>,
Steven Price <steven.price@arm•com>,
Suzuki K Poulose <Suzuki.Poulose@arm•com>,
Catalin Marinas <catalin.marinas@arm•com>,
Jiri Pirko <jiri@resnulli•us>, Petr Tesarik <ptesarik@suse•com>,
Alexey Kardashevskiy <aik@amd•com>,
Dan Williams <dan.j.williams@intel•com>,
Xu Yilun <yilun.xu@linux•intel.com>,
linuxppc-dev@lists•ozlabs.org, linux-s390@vger•kernel.org,
Madhavan Srinivasan <maddy@linux•ibm.com>,
Michael Ellerman <mpe@ellerman•id.au>,
Nicholas Piggin <npiggin@gmail•com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel•org>,
Alexander Gordeev <agordeev@linux•ibm.com>,
Gerald Schaefer <gerald.schaefer@linux•ibm.com>,
Heiko Carstens <hca@linux•ibm.com>,
Vasily Gorbik <gor@linux•ibm.com>,
Christian Borntraeger <borntraeger@linux•ibm.com>,
Sven Schnelle <svens@linux•ibm.com>,
x86@kernel•org
Subject: Re: [PATCH v4 04/13] dma: swiotlb: track pool encryption state and honor DMA_ATTR_CC_SHARED
Date: Fri, 15 May 2026 19:51:13 -0300 [thread overview]
Message-ID: <20260515225113.GN7702@ziepe.ca> (raw)
In-Reply-To: <agXfm3mS_M3fvRrN@google.com>
On Thu, May 14, 2026 at 02:43:39PM +0000, Mostafa Saleh wrote:
> > That's a somewhat different problem, we have the dev->trusted stuff
> > that is supposed to deal with this kind of security. We need it for
> > IOMMU based systems too, eg hot plug thunderbolt should have it.
>
> I see that it is used only for dma-iommu and for PCI devices.
> However, I think that should be a problem with other CCA solutions
> with emulated devices as they are untrusted. As I'd expect they
> would have virtio devices.
Yes, any security solution with an out of TCB device should be using either
memory encryption so the kernel already bounces or this trusted stuff
and a force strict dma-iommu so the dma layer is careful.
This is more policy from userspace what devices they want in or out of
their TCB. Like you make accept the device into T=1 but then still
want to keep it out of your TCB with the vIOMMU, I can see good
arguments for something like that.
> > > While we can debate the aesthetics of the setup , this is
> > > the exisitng behaviour for Linux, which existed for years
> > > and pKVM relies on and is used extensively.
> > > And, this patch alters that long-standing logic and introduces
> > > a functional regression.
> >
> > Yeah, Aneesh needs to do something here, I'm pointing out it is
> > entirely seperate thing from the CC path we are working on which is
> > decoupling CC from reylying on force swiotlb.
>
> I am looking into converting pKVM to use the CC stuff, I replied with
> a patch to Aneesh in this thread. However, I need to do more testing
> and make sure there are not any unwanted consequences.
Yeah, it is a nice patch and I think it will help reduce the
complexity if it aligns to CCA type stuff.
> > In a pkvm world it should be the same, the S2 table for the SMMU will
> > control what the device can access, and if the SMMU points to a
> > "private" or "shared" page is not something the device needs to know
> > or care about.
>
> I see that's because dma-iommu chooses the attrs for iommu_map().
Long term the DMA API path through the dma-iommu will pass the
ATTR_CC_SHARED through to iommu_map so when the arch requires a
different IOPTE it can construct it.
> In pKVM, dma_addr_t and IOPTE are the same for private and shared,
> so nothing differs in that case.
Yes, so you don't have to worry.
> We don’t expect pass-through devices to interact with shared
> memory (T=0) at the moment.
> However, I can see use cases for that, where the host and the guest
> collaborate with device passthrough and require zero copy.
Once you add the CC patch it becomes immediately possible though
because the user can allocate a CC shared DMA HEAP and feed that all
over the place.
> One other interesting case for device-passthrough is non-coherent
> devices which then require private pools for bouncing.
Why does shared/private matter for bouncing? Why do you need to bounce
at all? Do cmo's not work in pkvm guests?
Jason
next prev parent reply other threads:[~2026-05-15 22:51 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 9:03 [PATCH v4 00/13] dma-mapping: Use DMA_ATTR_CC_SHARED through direct, pool and swiotlb paths Aneesh Kumar K.V (Arm)
2026-05-12 9:03 ` [PATCH v4 01/13] dma-direct: swiotlb: handle swiotlb alloc/free outside __dma_direct_alloc_pages Aneesh Kumar K.V (Arm)
2026-05-13 13:57 ` Mostafa Saleh
2026-05-14 4:54 ` Aneesh Kumar K.V
2026-05-12 9:03 ` [PATCH v4 02/13] dma-direct: use DMA_ATTR_CC_SHARED in alloc/free paths Aneesh Kumar K.V (Arm)
2026-05-13 13:58 ` Mostafa Saleh
2026-05-14 5:01 ` Aneesh Kumar K.V
2026-05-12 9:03 ` [PATCH v4 03/13] dma-pool: track decrypted atomic pools and select them via attrs Aneesh Kumar K.V (Arm)
2026-05-13 14:00 ` Mostafa Saleh
2026-05-14 7:00 ` Aneesh Kumar K.V
2026-05-14 8:06 ` Mostafa Saleh
2026-05-16 12:53 ` Alexey Kardashevskiy
2026-05-18 8:19 ` Alexey Kardashevskiy
2026-05-18 8:32 ` Aneesh Kumar K.V
2026-05-12 9:03 ` [PATCH v4 04/13] dma: swiotlb: track pool encryption state and honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-05-13 14:27 ` Mostafa Saleh
2026-05-13 17:24 ` Jason Gunthorpe
2026-05-14 6:24 ` Aneesh Kumar K.V
2026-05-14 11:48 ` Mostafa Saleh
2026-05-14 12:35 ` Jason Gunthorpe
2026-05-14 14:43 ` Mostafa Saleh
2026-05-15 22:51 ` Jason Gunthorpe [this message]
2026-05-19 11:06 ` Mostafa Saleh
2026-05-19 13:39 ` Jason Gunthorpe
2026-05-14 5:54 ` Aneesh Kumar K.V
2026-05-14 12:02 ` Mostafa Saleh
2026-05-14 12:48 ` Aneesh Kumar K.V
2026-05-14 14:21 ` Mostafa Saleh
2026-05-14 14:43 ` Aneesh Kumar K.V
2026-05-19 11:04 ` Mostafa Saleh
2026-05-19 12:27 ` Aneesh Kumar K.V
2026-05-19 15:07 ` Aneesh Kumar K.V
2026-05-19 15:27 ` Jason Gunthorpe
2026-05-19 16:05 ` Aneesh Kumar K.V
2026-05-19 16:11 ` Jason Gunthorpe
2026-05-20 3:57 ` Aneesh Kumar K.V
2026-05-20 13:40 ` Jason Gunthorpe
2026-05-19 13:29 ` Jason Gunthorpe
2026-05-19 13:41 ` Mostafa Saleh
2026-05-19 14:00 ` Aneesh Kumar K.V
2026-05-19 14:04 ` Mostafa Saleh
2026-05-19 14:17 ` Aneesh Kumar K.V
2026-05-19 14:27 ` Mostafa Saleh
2026-05-19 14:37 ` Jason Gunthorpe
2026-05-19 14:35 ` Jason Gunthorpe
2026-05-19 14:45 ` Mostafa Saleh
2026-05-19 14:49 ` Jason Gunthorpe
2026-05-14 14:37 ` Jason Gunthorpe
2026-05-14 15:43 ` Mostafa Saleh
2026-05-18 8:19 ` Alexey Kardashevskiy
2026-05-21 17:06 ` Mostafa Saleh
2026-05-21 17:20 ` Aneesh Kumar K.V
2026-05-12 9:04 ` [PATCH v4 05/13] dma-mapping: make dma_pgprot() " Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 06/13] dma-direct: pass attrs to dma_capable() for DMA_ATTR_CC_SHARED checks Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 07/13] dma-direct: make dma_direct_map_phys() honor DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-05-18 10:04 ` Christian Borntraeger
2026-05-21 15:37 ` Aneesh Kumar K.V
2026-05-12 9:04 ` [PATCH v4 08/13] dma-direct: set decrypted flag for remapped DMA allocations Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 09/13] dma-direct: select DMA address encoding from DMA_ATTR_CC_SHARED Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 10/13] dma-pool: fix page leak in atomic_pool_expand() cleanup Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 11/13] dma-direct: rename ret to cpu_addr in alloc helpers Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 12/13] dma-direct: return struct page from dma_direct_alloc_from_pool() Aneesh Kumar K.V (Arm)
2026-05-12 9:04 ` [PATCH v4 13/13] x86/amd-gart: preserve the direct DMA address until GART mapping succeeds Aneesh Kumar K.V (Arm)
2026-05-21 11:54 ` Aneesh Kumar K.V
2026-05-17 6:19 ` [PATCH v4 00/13] dma-mapping: Use DMA_ATTR_CC_SHARED through direct, pool and swiotlb paths Jiri Pirko
2026-05-18 8:23 ` Aneesh Kumar K.V
2026-05-18 8:34 ` Jiri Pirko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515225113.GN7702@ziepe.ca \
--to=jgg@ziepe$(echo .)ca \
--cc=Suzuki.Poulose@arm$(echo .)com \
--cc=agordeev@linux$(echo .)ibm.com \
--cc=aik@amd$(echo .)com \
--cc=aneesh.kumar@kernel$(echo .)org \
--cc=borntraeger@linux$(echo .)ibm.com \
--cc=catalin.marinas@arm$(echo .)com \
--cc=chleroy@kernel$(echo .)org \
--cc=dan.j.williams@intel$(echo .)com \
--cc=gerald.schaefer@linux$(echo .)ibm.com \
--cc=gor@linux$(echo .)ibm.com \
--cc=hca@linux$(echo .)ibm.com \
--cc=iommu@lists$(echo .)linux.dev \
--cc=jiri@resnulli$(echo .)us \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-coco@lists$(echo .)linux.dev \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-s390@vger$(echo .)kernel.org \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=m.szyprowski@samsung$(echo .)com \
--cc=maddy@linux$(echo .)ibm.com \
--cc=maz@kernel$(echo .)org \
--cc=mpe@ellerman$(echo .)id.au \
--cc=npiggin@gmail$(echo .)com \
--cc=ptesarik@suse$(echo .)com \
--cc=robin.murphy@arm$(echo .)com \
--cc=smostafa@google$(echo .)com \
--cc=steven.price@arm$(echo .)com \
--cc=svens@linux$(echo .)ibm.com \
--cc=will@kernel$(echo .)org \
--cc=x86@kernel$(echo .)org \
--cc=yilun.xu@linux$(echo .)intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox