On Tue, Jun 03, 2025 at 09:11:42AM -0300, Jason Gunthorpe wrote: > On Tue, Jun 03, 2025 at 12:05:42PM +0800, Xu Yilun wrote: > > On Mon, Jun 02, 2025 at 01:48:57PM -0300, Jason Gunthorpe wrote: > > > On Tue, Jun 03, 2025 at 12:25:21AM +0800, Xu Yilun wrote: > > > > > > > > Looking at your patch series, I understand the reason you need a vfio > > > > > ioctl is to call pci_request_regions_exclusive—is that correct? > > > > > > > > The immediate reason is to unbind the TDI before unmapping the BAR. > > > > > > Maybe you should just do this directly, require the TSM layer to issue > > > an unbind if it gets any requests to change the secure EPT? > > > > The TSM layer won't touch S-EPT, KVM manages S-EPT. > > Why not? This cross layering mess has to live someplace. > > If the actual issue is the KVM S-EPT interacting with TSM bind/unbind > only on Intel platforms then it would be better to address it there > and stop trying to dance around the problem in higher levels. > > > Similarly IOMMUFD/IOMMU driver manages IOMMUPT. When p2p is > > involved, still need to unbind the TDI first then unmap the BAR for > > IOMMUPT. > > Huh? I thought if the device is in T=1 mode then it's MMIO should not > be in the non-secure IOMMU page table at all for Intel? Only T=1 P2P > DMA should reach its MMIO and that goes through the TSM controlled > IOMMU which uses the S-EPT ??? Correct. But the p2p case may impact AMD, AMD have legacy IOMMUPT on its secure DMA path. And if you invalidate MMIO (in turn unmaps IOMMUPT) when bound, may trigger HW protection mechanism against DMA silent drop. SEV-TIO Firmware Interface SPEC, Section 2.11 "If a bound TDI sends a request to the root complex, and the IOMMU detects a fault caused by host configuration, the root complex fences the ASID from all further I/O to or from that guest. A host fault is either a host page table fault or an RMP check violation. ASID fencing means that the IOMMU blocks all further I/O from the root complex to the guest that the TDI was bound, and the root complex blocks all MMIO accesses by the guest. When a guest writes to MMIO, the write is silently dropped. When a guest reads from MMIO, the guest reads 1s." BTW: What is ARM's secure DMA path, does it goes through independent Secure IOPT? So for p2p when VFIO invalidates MMIO, how the Secure IOPT react? How to avoid DMA slient drop? Thanks, Yilun > > Jason
