From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: PCI passthrough resource remapping Date: Sat, 16 Jan 2010 11:23:35 +0200 Message-ID: <4B518597.5030809@redhat.com> References: <20100109024500.GB4727@localhost.localdomain> <20100110221538.GF4727@localhost.localdomain> <4B4F2359.9040100@redhat.com> <20100114152652.GI4727@localhost.localdomain> <4B4F3992.3000906@redhat.com> <20100114154716.GB17515@redhat.com> <4B4F3E4B.5030303@redhat.com> <20100114183132.GJ4727@localhost.localdomain> <4B4F6BEC.8080801@redhat.com> <20100114193419.GK4727@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Michael S. Tsirkin" , Alexander Graf , kvm@vger.kernel.org To: nemesis@icequake.net Return-path: Received: from mx1.redhat.com ([209.132.183.28]:14089 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752343Ab0APJXr (ORCPT ); Sat, 16 Jan 2010 04:23:47 -0500 In-Reply-To: <20100114193419.GK4727@localhost.localdomain> Sender: kvm-owner@vger.kernel.org List-ID: On 01/14/2010 09:34 PM, Ryan C. Underwood wrote: > On Thu, Jan 14, 2010 at 09:09:32PM +0200, Avi Kivity wrote: > >> PCI cards can access system memory directly. If you assign a card >> to a guest, the guest will program the card to transfer data to >> system memory using guest addresses; since guest addresses don't >> correspond to host addresses, memory corruption will ensue. >> > I see, so the only way to fix this would be either with a special guest > driver for the device that does not perform DMA, or if that is > impossible (due to no docs), to trap and rewrite any command writes to > the device's MMIO region that reference a DMA write target buffer. > > Forgive my ignorance, but is it possible that the latter is already > possible with qemu-kvm (somewhat like hardware memory breakpoints in > Soft-ICE)? > > Yes, you can easily trap mmio writes to a device, and in fact kvm does this in some non-default scenarios. > If qemu-kvm can be made to break and log on PCI memory accesses, I would > then hack around the safety limitations, assuming that's all they are, > and analyze the PCI writes one by one to find the cases where a physical > address is passed to the card. > > Then I would perform the IOMMU translation myself in software whenever a > physmem address shows up in the command stream. (Somewhat like the > security validation of a 3D graphics card command stream in the DRM.) > > That's definitely doable, but you would need to know exactly how the device does dma. You would also need to lock all pages into memory (mlockall()) and how pages are mapped (/proc/$pid/pagemap?) -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain.