[PATCH v3 00/23] Add SMMUv3 Stage 1 Support for Xen guests

[Milan Djokic <milan_djokic@epam.com>]

This patch series provides emulated SMMUv3 support in Xen, enabling stage-1
translation for the guest OS.

Stage 1 translation support is required to provide isolation between different
devices within OS. Xen already supports Stage 2 translation but there is no
support for Stage 1 translation. The goal of this work is to support Stage 1
translation for Xen guests.

This patch series represents a continuation of work from Rahul Singh:
https://patchwork.kernel.org/project/xen-devel/cover/cover.1669888522.git.rahul.singh@arm.com/
Original patch series is aligned with the newest Xen structure, with the addition
of translation layer which provides 1:N vIOMMU->pIOMMU mapping, in order to
support passthrough of the devices attached to different physical IOMMUs.

We cannot trust the guest OS to control the SMMUv3 hardware directly as
compromised guest OS can corrupt the SMMUv3 configuration and make the system
vulnerable. The guest gets the ownership of the stage 1 page tables and also
owns stage 1 configuration structures. The Xen handles the root configuration
structure (for security reasons), including the stage 2 configuration.

XEN will emulate the SMMUv3 hardware and expose the virtual SMMUv3 to the
guest. Guest can use the native SMMUv3 driver to configure the stage 1
translation. When the guest configures the SMMUv3 for Stage 1, XEN will trap
the access and configure hardware.

SMMUv3 Driver(Guest OS) -> Configure the Stage-1 translation ->
XEN trap access -> XEN SMMUv3 driver configure the HW.

The final patch series commit provides a design document for the emulated
IOMMU (arm-viommu.rst), which was previously discussed with the maintainers.
Details regarding implementation, future work and security risks are outlined
in this document.

---
Changes in v2:
 - Updated design and implementation with vIOMMU->pIOMMU mapping layer
 - Addressed security risks in the design, provided initial performance
   measurements
 - Addressed comments from previous version
 - Tested on Renesas R-Car platform, initial performance measurements for
   stage-1 vs stage-1-less guests
---

---
Changes in v3:
 - Bump domctl version, added explicit padding for the new domctl structures
 - Remove unnecessary changes according to review comments
 - Add "ARM" prefix for vIOMMU Kconfig options, since only ARM architecture is
   supported at this point 
 - Re-generate go code
 - Add missing commit sign-off tags
---

Jean-Philippe Brucker (1):
  xen/arm: smmuv3: Maintain a SID->device structure

Milan Djokic (3):
  xen/arm: vIOMMU vSID->pSID mapping layer
  libxl/arm: Introduce domctl command for IOMMU vSID/vRID mapping
  doc/arm: vIOMMU design document

Rahul Singh (19):
  xen/arm: smmuv3: Add support for stage-1 and nested stage translation
  xen/arm: smmuv3: Alloc io_domain for each device
  xen/arm: vIOMMU: add generic vIOMMU framework
  xen/arm: vsmmuv3: Add dummy support for virtual SMMUv3 for guests
  xen/domctl: Add XEN_DOMCTL_CONFIG_VIOMMU_* and viommu config param
  xen/arm: vIOMMU: Add cmdline boot option "viommu = <string>"
  xen/arm: vsmmuv3: Add support for registers emulation
  xen/arm: vsmmuv3: Add support for cmdqueue handling
  xen/arm: vsmmuv3: Add support for command CMD_CFGI_STE
  xen/arm: vsmmuv3: Attach Stage-1 configuration to SMMUv3 hardware
  xen/arm: vsmmuv3: Add support for event queue and global error
  xen/arm: vsmmuv3: Add "iommus" property node for dom0 devices
  xen/arm: vIOMMU: IOMMU device tree node for dom0
  xen/arm: vsmmuv3: Emulated SMMUv3 device tree node for dom0less
  arm/libxl: vsmmuv3: Emulated SMMUv3 device tree node in libxl
  xen/arm: vsmmuv3: Alloc virq for virtual SMMUv3
  xen/arm: vsmmuv3: Add support to send stage-1 event to guest
  libxl/arm: vIOMMU: Modify the partial device tree for iommus
  xen/arm: vIOMMU: Modify the partial device tree for dom0less

 docs/designs/arm-viommu.rst             | 390 ++++++++++
 docs/man/xl.cfg.5.pod.in                |  13 +
 docs/misc/xen-command-line.pandoc       |   9 +
 tools/golang/xenlight/helpers.gen.go    |   2 +
 tools/golang/xenlight/types.gen.go      |   7 +
 tools/include/libxl.h                   |   5 +
 tools/include/xenctrl.h                 |  12 +
 tools/libs/ctrl/xc_domain.c             |  23 +
 tools/libs/light/libxl_arm.c            | 230 +++++-
 tools/libs/light/libxl_types.idl        |   6 +
 tools/xl/xl_parse.c                     |   9 +
 xen/arch/arm/dom0less-build.c           |  72 ++
 xen/arch/arm/domain.c                   |  34 +
 xen/arch/arm/domain_build.c             | 103 ++-
 xen/arch/arm/domctl.c                   |  34 +
 xen/arch/arm/include/asm/domain.h       |   4 +
 xen/arch/arm/include/asm/iommu.h        |   7 +
 xen/arch/arm/include/asm/viommu.h       | 113 +++
 xen/common/device-tree/dom0less-build.c |  55 +-
 xen/drivers/passthrough/Kconfig         |  13 +
 xen/drivers/passthrough/arm/Makefile    |   2 +
 xen/drivers/passthrough/arm/smmu-v3.c   | 369 ++++++++-
 xen/drivers/passthrough/arm/smmu-v3.h   |  49 +-
 xen/drivers/passthrough/arm/viommu.c    |  96 +++
 xen/drivers/passthrough/arm/vsmmu-v3.c  | 958 ++++++++++++++++++++++++
 xen/drivers/passthrough/arm/vsmmu-v3.h  |  32 +
 xen/include/public/arch-arm.h           |  15 +-
 xen/include/public/device_tree_defs.h   |   1 +
 xen/include/public/domctl.h             |  24 +-
 xen/include/xen/iommu.h                 |   6 +
 xen/xsm/flask/hooks.c                   |   4 +
 xen/xsm/flask/policy/access_vectors     |   2 +
 32 files changed, 2646 insertions(+), 53 deletions(-)
 create mode 100644 docs/designs/arm-viommu.rst
 create mode 100644 xen/arch/arm/include/asm/viommu.h
 create mode 100644 xen/drivers/passthrough/arm/viommu.c
 create mode 100644 xen/drivers/passthrough/arm/vsmmu-v3.c
 create mode 100644 xen/drivers/passthrough/arm/vsmmu-v3.h

-- 
2.43.0