From patchwork Thu Jul 14 19:27:03 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Williamson X-Patchwork-Id: 975632 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6EJSIua008232 for ; Thu, 14 Jul 2011 19:28:19 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753904Ab1GNT1h (ORCPT ); Thu, 14 Jul 2011 15:27:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:8287 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753374Ab1GNT1g (ORCPT ); Thu, 14 Jul 2011 15:27:36 -0400 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p6EJR5Ne002716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 14 Jul 2011 15:27:05 -0400 Received: from s20.home (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p6EJR3wk031400; Thu, 14 Jul 2011 15:27:04 -0400 From: Alex Williamson Subject: [PATCH] kvm: Disable device assignment without interrupt remapping To: kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, alex.williamson@redhat.com, chrisw@redhat.com, ddutile@redhat.com, iommu@lists.linux-foundation.org Date: Thu, 14 Jul 2011 13:27:03 -0600 Message-ID: <20110714192500.4065.28234.stgit@s20.home> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Thu, 14 Jul 2011 19:28:19 +0000 (UTC) IOMMU interrupt remapping support provides a further layer of isolation for device assignment by preventing arbitrary interrupt block DMA writes by a malicious guest from reaching the host. By default, we should require that the platform provides interrupt remapping support, with an opt-in mechanism for existing behavior. Both AMD IOMMU and Intel VT-d2 hardware support interrupt remapping, however we currently only have software support on the Intel side. Users wishing to re-enable device assignment when interrupt remapping is not supported on the platform can use the "allow_unsafe_assigned_interrupts=1" module option. Signed-off-by: Alex Williamson --- virt/kvm/iommu.c | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c index 62a9caf..243cb81 100644 --- a/virt/kvm/iommu.c +++ b/virt/kvm/iommu.c @@ -30,6 +30,12 @@ #include #include +static int allow_unsafe_assigned_interrupts; +module_param_named(allow_unsafe_assigned_interrupts, + allow_unsafe_assigned_interrupts, bool, S_IRUGO | S_IWUSR); +MODULE_PARM_DESC(allow_unsafe_assigned_interrupts, + "Enable device assignment on platforms without interrupt remapping support."); + static int kvm_iommu_unmap_memslots(struct kvm *kvm); static void kvm_iommu_put_pages(struct kvm *kvm, gfn_t base_gfn, unsigned long npages); @@ -231,6 +237,15 @@ int kvm_iommu_map_guest(struct kvm *kvm) if (!kvm->arch.iommu_domain) return -ENOMEM; + if (!allow_unsafe_assigned_interrupts && + !iommu_domain_has_cap(kvm->arch.iommu_domain, + IOMMU_CAP_INTR_REMAP)) { + printk(KERN_WARNING "%s: No interrupt remapping support, disallowing device assignment. Re-enble with \"allow_unsafe_assigned_interrupts=1\" module option.\n", __func__); + iommu_domain_free(kvm->arch.iommu_domain); + kvm->arch.iommu_domain = NULL; + return -EPERM; + } + r = kvm_iommu_map_memslots(kvm); if (r) goto out_unmap;