From: Jason Gunthorpe <jgg@nvidia.com>
To: Bjorn Helgaas <helgaas@kernel.org>
Cc: Vidya Sagar <vidyas@nvidia.com>,
corbet@lwn.net, bhelgaas@google.com, galshalom@nvidia.com,
leonro@nvidia.com, treding@nvidia.com, jonathanh@nvidia.com,
mmoshrefjava@nvidia.com, shahafs@nvidia.com, vsethi@nvidia.com,
sdonthineni@nvidia.com, jan@nvidia.com, tdave@nvidia.com,
linux-doc@vger.kernel.org, linux-pci@vger.kernel.org,
linux-kernel@vger.kernel.org, kthota@nvidia.com,
mmaddireddy@nvidia.com, sagar.tv@gmail.com,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>,
iommu@lists.linux.dev
Subject: Re: [PATCH V3] PCI: Extend ACS configurability
Date: Thu, 23 May 2024 12:16:05 -0300 [thread overview]
Message-ID: <20240523151605.GP20229@nvidia.com> (raw)
In-Reply-To: <20240523145936.GA118272@bhelgaas>
On Thu, May 23, 2024 at 09:59:36AM -0500, Bjorn Helgaas wrote:
> [+cc iommu folks]
>
> On Thu, May 23, 2024 at 12:05:28PM +0530, Vidya Sagar wrote:
> > For iommu_groups to form correctly, the ACS settings in the PCIe fabric
> > need to be setup early in the boot process, either via the BIOS or via
> > the kernel disable_acs_redir parameter.
>
> Can you point to the iommu code that is involved here? It sounds like
> the iommu_groups are built at boot time and are immutable after that?
They are created when the struct device is plugged
in. pci_device_group() does the logic.
Notably groups can't/don't change if details like ACS change after the
groups are setup.
There are alot of instructions out there telling people to boot their
servers and then manually change the ACS flags with set_pci or
something, and these are not good instructions since it defeats the
VFIO group based security mechanisms.
> If we need per-device ACS config that depends on the workload, it
> seems kind of problematic to only be able to specify this at boot
> time. I guess we would need to reboot if we want to run a workload
> that needs a different config?
Basically. The main difference I'd see is if the server is a VM host
or running bare metal apps. You can get more efficicenty if you change
things for the bare metal case, and often bare metal will want to turn
the iommu off while a VM host often wants more of it turned on.
> Is this the iommu usage model we want in the long term?
There is some path to more dynamic behavior here, but it would require
separating groups into two components - devices that are together
because they are physically sharing translation (aliases and things)
from devices that are together because they share a security boundary
(ACS).
It is more believable we could dynamically change security group
assigments for VFIO than translation group assignment. I don't know
anyone interested in this right now - Alex and I have only talked
about it as a possibility a while back.
FWIW I don't view patch as excluding more dynamisism in the future,
but it is the best way to work with the current state of affairs, and
definitely better than set_pci instructions.
Thanks,
Jason
next prev parent reply other threads:[~2024-05-23 15:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-21 11:09 [PATCH V2] PCI: Extend ACS configurability Vidya Sagar
2024-05-21 15:44 ` kernel test robot
2024-05-23 6:35 ` [PATCH V3] " Vidya Sagar
2024-05-23 14:59 ` Bjorn Helgaas
2024-05-23 15:16 ` Jason Gunthorpe [this message]
2024-06-03 7:50 ` Vidya Sagar
2024-06-07 19:30 ` Bjorn Helgaas
2024-06-10 11:38 ` Jason Gunthorpe
2024-06-12 21:29 ` Bjorn Helgaas
2024-06-12 23:23 ` Jason Gunthorpe
2024-06-13 22:05 ` Bjorn Helgaas
2024-06-13 23:36 ` Jason Gunthorpe
2024-06-13 22:38 ` Alex Williamson
2024-06-12 12:19 ` Jason Gunthorpe
2024-06-25 15:31 ` [PATCH V4] " Vidya Sagar
2024-06-25 16:26 ` Lukas Wunner
2024-06-25 16:39 ` Jason Gunthorpe
2024-06-26 6:02 ` Leon Romanovsky
2024-06-26 7:40 ` Tian, Kevin
2024-06-26 11:50 ` Jason Gunthorpe
2024-07-08 14:39 ` Jason Gunthorpe
2024-07-12 21:57 ` Bjorn Helgaas
2024-09-25 5:06 ` Jiri Slaby
2024-09-25 5:29 ` Jiri Slaby
2024-09-25 5:49 ` Jiri Slaby
2024-10-01 19:33 ` Jason Gunthorpe
2024-10-07 16:36 ` Steffen Dirkwinkel
2024-10-07 20:43 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240523151605.GP20229@nvidia.com \
--to=jgg@nvidia.com \
--cc=bhelgaas@google.com \
--cc=corbet@lwn.net \
--cc=galshalom@nvidia.com \
--cc=helgaas@kernel.org \
--cc=iommu@lists.linux.dev \
--cc=jan@nvidia.com \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=kthota@nvidia.com \
--cc=leonro@nvidia.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mmaddireddy@nvidia.com \
--cc=mmoshrefjava@nvidia.com \
--cc=robin.murphy@arm.com \
--cc=sagar.tv@gmail.com \
--cc=sdonthineni@nvidia.com \
--cc=shahafs@nvidia.com \
--cc=tdave@nvidia.com \
--cc=treding@nvidia.com \
--cc=vidyas@nvidia.com \
--cc=vsethi@nvidia.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).