[RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers

public inbox for linux-hyperv@vger.kernel.org
 help / color / mirror / Atom feed

* [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
@ 2026-03-25  7:56 Tianyu Lan
  2026-03-25  9:22 ` Leon Romanovsky
  2026-03-26 17:05 ` Easwar Hariharan
  0 siblings, 2 replies; 5+ messages in thread
From: Tianyu Lan @ 2026-03-25  7:56 UTC (permalink / raw)
  To: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy
  Cc: Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
	Michael Kelley

Hyper-V provides Confidential VMBus to communicate between
device model and device guest driver via encrypted/private
memory in Confidential VM. The device model is in OpenHCL
(https://openvmm.dev/guide/user_guide/openhcl.html) that
plays the paravisor role.

For a VMBus device, there are two communication methods to
talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
DMA transfer.

The Confidential VMBus Ring buffer has been upstreamed by
Roman Kisel(commit 6802d8af47d1).

The dynamic DMA transition of VMBus device normally goes
through DMA core and it uses SWIOTLB as bounce buffer in
a CoCo VM.

The Confidential VMBus device can do DMA directly to
private/encrypted memory. Because the swiotlb is decrypted
memory, the DMA transfer must not be bounced through the
swiotlb, so as to preserve confidentiality. This is different
from the default for Linux CoCo VMs, so disable the VMBus
device's use of swiotlb.

Expose swiotlb_dev_disable() from DMA Core to disable
bounce buffer for device.

Suggested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Tianyu Lan <tiala@microsoft.com>
---
 drivers/hv/vmbus_drv.c  | 6 +++++-
 include/linux/swiotlb.h | 5 +++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 3d1a58b667db..84e6971fc90f 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
 	child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
 	dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));

+	device_initialize(&child_device_obj->device);
+	if (child_device_obj->channel->co_external_memory)
+		swiotlb_dev_disable(&child_device_obj->device);
+
 	/*
 	 * Register with the LDM. This will kick off the driver/device
 	 * binding...which will eventually call vmbus_match() and vmbus_probe()
 	 */
-	ret = device_register(&child_device_obj->device);
+	ret = device_add(&child_device_obj->device);
 	if (ret) {
 		pr_err("Unable to register child device\n");
 		put_device(&child_device_obj->device);
diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
index 3dae0f592063..7c572570d5d9 100644
--- a/include/linux/swiotlb.h
+++ b/include/linux/swiotlb.h
@@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
 	return NULL;
 }

+static inline bool swiotlb_dev_disable(struct device *dev)
+{
+	return dev->dma_io_tlb_mem == NULL;
+}
+
 static inline bool is_swiotlb_force_bounce(struct device *dev)
 {
 	struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
-- 
2.50.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
  2026-03-25  7:56 [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers Tianyu Lan
@ 2026-03-25  9:22 ` Leon Romanovsky
  2026-03-27  9:28   ` Tianyu Lan
  2026-03-26 17:05 ` Easwar Hariharan
  1 sibling, 1 reply; 5+ messages in thread
From: Leon Romanovsky @ 2026-03-25  9:22 UTC (permalink / raw)
  To: Tianyu Lan
  Cc: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy,
	Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
	Michael Kelley

On Wed, Mar 25, 2026 at 03:56:49AM -0400, Tianyu Lan wrote:
> Hyper-V provides Confidential VMBus to communicate between
> device model and device guest driver via encrypted/private
> memory in Confidential VM. The device model is in OpenHCL
> (https://openvmm.dev/guide/user_guide/openhcl.html) that
> plays the paravisor role.
> 
> For a VMBus device, there are two communication methods to
> talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
> DMA transfer.
> 
> The Confidential VMBus Ring buffer has been upstreamed by
> Roman Kisel(commit 6802d8af47d1).
> 
> The dynamic DMA transition of VMBus device normally goes
> through DMA core and it uses SWIOTLB as bounce buffer in
> a CoCo VM.
> 
> The Confidential VMBus device can do DMA directly to
> private/encrypted memory. Because the swiotlb is decrypted
> memory, the DMA transfer must not be bounced through the
> swiotlb, so as to preserve confidentiality. This is different
> from the default for Linux CoCo VMs, so disable the VMBus
> device's use of swiotlb.
> 
> Expose swiotlb_dev_disable() from DMA Core to disable
> bounce buffer for device.

It feels awkward and like a layering violation to let arbitrary kernel
drivers manipulate SWIOTLB, which sits beneath the DMA core.

Thanks

> 
> Suggested-by: Michael Kelley <mhklinux@outlook.com>
> Signed-off-by: Tianyu Lan <tiala@microsoft.com>
> ---
>  drivers/hv/vmbus_drv.c  | 6 +++++-
>  include/linux/swiotlb.h | 5 +++++
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 3d1a58b667db..84e6971fc90f 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
>  	child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
>  	dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));
>  
> +	device_initialize(&child_device_obj->device);
> +	if (child_device_obj->channel->co_external_memory)
> +		swiotlb_dev_disable(&child_device_obj->device);
> +
>  	/*
>  	 * Register with the LDM. This will kick off the driver/device
>  	 * binding...which will eventually call vmbus_match() and vmbus_probe()
>  	 */
> -	ret = device_register(&child_device_obj->device);
> +	ret = device_add(&child_device_obj->device);
>  	if (ret) {
>  		pr_err("Unable to register child device\n");
>  		put_device(&child_device_obj->device);
> diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
> index 3dae0f592063..7c572570d5d9 100644
> --- a/include/linux/swiotlb.h
> +++ b/include/linux/swiotlb.h
> @@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
>  	return NULL;
>  }
>  
> +static inline bool swiotlb_dev_disable(struct device *dev)
> +{
> +	return dev->dma_io_tlb_mem == NULL;
> +}
> +
>  static inline bool is_swiotlb_force_bounce(struct device *dev)
>  {
>  	struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
> -- 
> 2.50.1
> 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
  2026-03-25  7:56 [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers Tianyu Lan
  2026-03-25  9:22 ` Leon Romanovsky
@ 2026-03-26 17:05 ` Easwar Hariharan
  2026-03-27  9:32   ` Tianyu Lan
  1 sibling, 1 reply; 5+ messages in thread
From: Easwar Hariharan @ 2026-03-26 17:05 UTC (permalink / raw)
  To: Tianyu Lan
  Cc: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy,
	easwar.hariharan, Tianyu Lan, iommu, linux-hyperv, linux-kernel,
	hch, vdso, Michael Kelley

On 3/25/2026 12:56 AM, Tianyu Lan wrote:
> Hyper-V provides Confidential VMBus to communicate between
> device model and device guest driver via encrypted/private
> memory in Confidential VM. The device model is in OpenHCL
> (https://openvmm.dev/guide/user_guide/openhcl.html) that
> plays the paravisor role.
> 
> For a VMBus device, there are two communication methods to
> talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
> DMA transfer.
> 
> The Confidential VMBus Ring buffer has been upstreamed by
> Roman Kisel(commit 6802d8af47d1).
> 
> The dynamic DMA transition of VMBus device normally goes
> through DMA core and it uses SWIOTLB as bounce buffer in
> a CoCo VM.
> 
> The Confidential VMBus device can do DMA directly to
> private/encrypted memory. Because the swiotlb is decrypted
> memory, the DMA transfer must not be bounced through the
> swiotlb, so as to preserve confidentiality. This is different
> from the default for Linux CoCo VMs, so disable the VMBus
> device's use of swiotlb.
> 
> Expose swiotlb_dev_disable() from DMA Core to disable
> bounce buffer for device.
> 
> Suggested-by: Michael Kelley <mhklinux@outlook.com>
> Signed-off-by: Tianyu Lan <tiala@microsoft.com>
> ---
>  drivers/hv/vmbus_drv.c  | 6 +++++-
>  include/linux/swiotlb.h | 5 +++++
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> index 3d1a58b667db..84e6971fc90f 100644
> --- a/drivers/hv/vmbus_drv.c
> +++ b/drivers/hv/vmbus_drv.c
> @@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
>  	child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
>  	dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));
>  
> +	device_initialize(&child_device_obj->device);
> +	if (child_device_obj->channel->co_external_memory)
> +		swiotlb_dev_disable(&child_device_obj->device);
> +
>  	/*
>  	 * Register with the LDM. This will kick off the driver/device
>  	 * binding...which will eventually call vmbus_match() and vmbus_probe()
>  	 */
> -	ret = device_register(&child_device_obj->device);
> +	ret = device_add(&child_device_obj->device);
>  	if (ret) {
>  		pr_err("Unable to register child device\n");
>  		put_device(&child_device_obj->device);
> diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
> index 3dae0f592063..7c572570d5d9 100644
> --- a/include/linux/swiotlb.h
> +++ b/include/linux/swiotlb.h
> @@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
>  	return NULL;
>  }
>  
> +static inline bool swiotlb_dev_disable(struct device *dev)
> +{
> +	return dev->dma_io_tlb_mem == NULL;

Is there an extra = here?

- Easwar (he/him)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
  2026-03-25  9:22 ` Leon Romanovsky
@ 2026-03-27  9:28   ` Tianyu Lan
  0 siblings, 0 replies; 5+ messages in thread
From: Tianyu Lan @ 2026-03-27  9:28 UTC (permalink / raw)
  To: Leon Romanovsky
  Cc: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy,
	Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
	Michael Kelley

On Wed, Mar 25, 2026 at 5:22 PM Leon Romanovsky <leon@kernel.org> wrote:
>
> On Wed, Mar 25, 2026 at 03:56:49AM -0400, Tianyu Lan wrote:
> > Hyper-V provides Confidential VMBus to communicate between
> > device model and device guest driver via encrypted/private
> > memory in Confidential VM. The device model is in OpenHCL
> > (https://openvmm.dev/guide/user_guide/openhcl.html) that
> > plays the paravisor role.
> >
> > For a VMBus device, there are two communication methods to
> > talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
> > DMA transfer.
> >
> > The Confidential VMBus Ring buffer has been upstreamed by
> > Roman Kisel(commit 6802d8af47d1).
> >
> > The dynamic DMA transition of VMBus device normally goes
> > through DMA core and it uses SWIOTLB as bounce buffer in
> > a CoCo VM.
> >
> > The Confidential VMBus device can do DMA directly to
> > private/encrypted memory. Because the swiotlb is decrypted
> > memory, the DMA transfer must not be bounced through the
> > swiotlb, so as to preserve confidentiality. This is different
> > from the default for Linux CoCo VMs, so disable the VMBus
> > device's use of swiotlb.
> >
> > Expose swiotlb_dev_disable() from DMA Core to disable
> > bounce buffer for device.
>
> It feels awkward and like a layering violation to let arbitrary kernel
> drivers manipulate SWIOTLB, which sits beneath the DMA core.
>

Hi Leon:
     Thanks for your review. I will try other way since now DMA core has
not stand way to disable device swiotlb.

-- 
Thanks
Tianyu Lan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers
  2026-03-26 17:05 ` Easwar Hariharan
@ 2026-03-27  9:32   ` Tianyu Lan
  0 siblings, 0 replies; 5+ messages in thread
From: Tianyu Lan @ 2026-03-27  9:32 UTC (permalink / raw)
  To: Easwar Hariharan
  Cc: kys, haiyangz, wei.liu, decui, longli, m.szyprowski, robin.murphy,
	Tianyu Lan, iommu, linux-hyperv, linux-kernel, hch, vdso,
	Michael Kelley

On Fri, Mar 27, 2026 at 1:05 AM Easwar Hariharan
<easwar.hariharan@linux.microsoft.com> wrote:
>
> On 3/25/2026 12:56 AM, Tianyu Lan wrote:
> > Hyper-V provides Confidential VMBus to communicate between
> > device model and device guest driver via encrypted/private
> > memory in Confidential VM. The device model is in OpenHCL
> > (https://openvmm.dev/guide/user_guide/openhcl.html) that
> > plays the paravisor role.
> >
> > For a VMBus device, there are two communication methods to
> > talk with Host/Hypervisor. 1) VMBUS Ring buffer 2) Dynamic
> > DMA transfer.
> >
> > The Confidential VMBus Ring buffer has been upstreamed by
> > Roman Kisel(commit 6802d8af47d1).
> >
> > The dynamic DMA transition of VMBus device normally goes
> > through DMA core and it uses SWIOTLB as bounce buffer in
> > a CoCo VM.
> >
> > The Confidential VMBus device can do DMA directly to
> > private/encrypted memory. Because the swiotlb is decrypted
> > memory, the DMA transfer must not be bounced through the
> > swiotlb, so as to preserve confidentiality. This is different
> > from the default for Linux CoCo VMs, so disable the VMBus
> > device's use of swiotlb.
> >
> > Expose swiotlb_dev_disable() from DMA Core to disable
> > bounce buffer for device.
> >
> > Suggested-by: Michael Kelley <mhklinux@outlook.com>
> > Signed-off-by: Tianyu Lan <tiala@microsoft.com>
> > ---
> >  drivers/hv/vmbus_drv.c  | 6 +++++-
> >  include/linux/swiotlb.h | 5 +++++
> >  2 files changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
> > index 3d1a58b667db..84e6971fc90f 100644
> > --- a/drivers/hv/vmbus_drv.c
> > +++ b/drivers/hv/vmbus_drv.c
> > @@ -2184,11 +2184,15 @@ int vmbus_device_register(struct hv_device *child_device_obj)
> >       child_device_obj->device.dma_mask = &child_device_obj->dma_mask;
> >       dma_set_mask(&child_device_obj->device, DMA_BIT_MASK(64));
> >
> > +     device_initialize(&child_device_obj->device);
> > +     if (child_device_obj->channel->co_external_memory)
> > +             swiotlb_dev_disable(&child_device_obj->device);
> > +
> >       /*
> >        * Register with the LDM. This will kick off the driver/device
> >        * binding...which will eventually call vmbus_match() and vmbus_probe()
> >        */
> > -     ret = device_register(&child_device_obj->device);
> > +     ret = device_add(&child_device_obj->device);
> >       if (ret) {
> >               pr_err("Unable to register child device\n");
> >               put_device(&child_device_obj->device);
> > diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
> > index 3dae0f592063..7c572570d5d9 100644
> > --- a/include/linux/swiotlb.h
> > +++ b/include/linux/swiotlb.h
> > @@ -169,6 +169,11 @@ static inline struct io_tlb_pool *swiotlb_find_pool(struct device *dev,
> >       return NULL;
> >  }
> >
> > +static inline bool swiotlb_dev_disable(struct device *dev)
> > +{
> > +     return dev->dma_io_tlb_mem == NULL;
>
> Is there an extra = here?
>
> - Easwar (he/him)

Hi Easwar:
     Thanks for your review. Nice catch. Oops. Will try other way to disable
device bounce buffer in the next version.
-- 
Thanks
Tianyu Lan

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-03-27  9:32 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-25  7:56 [RFC PATCH V3] x86/VMBus: Confidential VMBus for dynamic DMA transfers Tianyu Lan
2026-03-25  9:22 ` Leon Romanovsky
2026-03-27  9:28   ` Tianyu Lan
2026-03-26 17:05 ` Easwar Hariharan
2026-03-27  9:32   ` Tianyu Lan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox