qemu/hw/virtio
Halil Pasic 06134e2bc3 virtio: fix feature negotiation for ACCESS_PLATFORM
Unlike most virtio features ACCESS_PLATFORM is considered mandatory by
QEMU, i.e. the driver must accept it if offered by the device. The
virtio specification says that the driver SHOULD accept the
ACCESS_PLATFORM feature if offered, and that the device MAY fail to
operate if ACCESS_PLATFORM was offered but not negotiated.

While a SHOULD ain't exactly a MUST, we are certainly allowed to fail
the device when the driver fences ACCESS_PLATFORM. With commit
2943b53f68 ("virtio: force VIRTIO_F_IOMMU_PLATFORM") we already made the
decision to do so whenever the get_dma_as() callback is implemented (by
the bus), which in practice means for the entirety of virtio-pci.

That means, if the device needs to translate I/O addresses, then
ACCESS_PLATFORM is mandatory. The aforementioned commit tells us in the
commit message that this is for security reasons. More precisely if we
were to allow a less then trusted driver (e.g. an user-space driver, or
a nested guest) to make the device bypass the IOMMU by not negotiating
ACCESS_PLATFORM, then the guest kernel would have no ability to
control/police (by programming the IOMMU) what pieces of guest memory
the driver may manipulate using the device. Which would break security
assumptions within the guest.

If ACCESS_PLATFORM is offered not because we want the device to utilize
an IOMMU and do address translation, but because the device does not
have access to the entire guest RAM, and needs the driver to grant
access to the bits it needs access to (e.g. confidential guest support),
we still require the guest to have the corresponding logic and to accept
ACCESS_PLATFORM. If the driver does not accept ACCESS_PLATFORM, then
things are bound to go wrong, and we may see failures much less graceful
than failing the device because the driver didn't negotiate
ACCESS_PLATFORM.

So let us make ACCESS_PLATFORM mandatory for the driver regardless
of whether the get_dma_as() callback is implemented or not.

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Fixes: 2943b53f68 ("virtio: force VIRTIO_F_IOMMU_PLATFORM")

Message-Id: <20220307112939.2780117-1-pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
2022-05-13 05:22:31 -04:00
..
Kconfig meson: use have_vhost_* variables to pick sources 2022-05-07 07:46:58 +02:00
meson.build meson: use have_vhost_* variables to pick sources 2022-05-07 07:46:58 +02:00
trace-events vdpa: Add missing tracing to batch mapping functions 2022-04-26 12:32:47 +02:00
trace.h
vhost-backend.c vhost-backend: do not depend on CONFIG_VHOST_VSOCK 2022-05-12 12:29:44 +02:00
vhost-iova-tree.c Replace qemu_real_host_page variables with inlined functions 2022-04-06 10:50:38 +02:00
vhost-iova-tree.h vhost: Add VhostIOVATree 2022-03-15 13:57:44 +08:00
vhost-scsi-pci.c
vhost-shadow-virtqueue.c Replace qemu_real_host_page variables with inlined functions 2022-04-06 10:50:38 +02:00
vhost-shadow-virtqueue.h vdpa: Add custom IOTLB translations to SVQ 2022-03-15 13:57:44 +08:00
vhost-stub.c
vhost-user-blk-pci.c
vhost-user-fs-pci.c vhost-user-fs: add the "bootindex" property 2021-01-13 09:06:37 -05:00
vhost-user-fs.c Revert "virtio: introduce macro IRTIO_CONFIG_IRQ_IDX" 2022-01-10 16:02:54 -05:00
vhost-user-i2c-pci.c hw/virtio: add vhost-user-i2c-pci boilerplate 2021-07-16 11:10:45 -04:00
vhost-user-i2c.c hw/vhost-user-i2c: Add support for VIRTIO_I2C_F_ZERO_LENGTH_REQUEST 2022-03-04 08:30:52 -05:00
vhost-user-input-pci.c
vhost-user-rng-pci.c vhost-user-rng-pci: Add vhost-user-rng-pci implementation 2021-10-20 04:37:55 -04:00
vhost-user-rng.c vhost-user-rng: Add vhost-user-rng implementation 2021-10-20 04:37:55 -04:00
vhost-user-scsi-pci.c
vhost-user-vsock-pci.c
vhost-user-vsock.c vhost-vsock: handle common features in vhost-vsock-common 2021-10-05 17:30:57 -04:00
vhost-user.c vhost-user: Use correct macro name TARGET_PPC64 2022-05-05 15:36:16 -03:00
vhost-vdpa.c vdpa: Add missing tracing to batch mapping functions 2022-04-26 12:32:47 +02:00
vhost-vsock-common.c vhost-vsock: detach the virqueue element in case of error 2022-03-06 05:08:23 -05:00
vhost-vsock-pci.c
vhost-vsock.c hw: replace qemu_set_nonblock() 2022-05-03 15:52:33 +04:00
vhost.c Don't include sysemu/tcg.h if it is not necessary 2022-04-20 12:12:47 -07:00
virtio-9p-pci.c
virtio-balloon-pci.c hw/virtio/virtio-balloon: Remove the "class" property 2021-02-05 08:52:59 -05:00
virtio-balloon.c Replace qemu_gettimeofday() with g_get_real_time() 2022-04-06 10:50:37 +02:00
virtio-blk-pci.c
virtio-bus.c virtio: fix feature negotiation for ACCESS_PLATFORM 2022-05-13 05:22:31 -04:00
virtio-crypto-pci.c
virtio-crypto.c Use g_new() & friends where that makes obvious sense 2022-03-21 15:44:44 +01:00
virtio-input-host-pci.c
virtio-input-pci.c
virtio-iommu-pci.c hw/arm/virt: Remove device tree restriction for virtio-iommu 2021-12-15 10:35:26 +00:00
virtio-iommu.c * Add cpu0-id to query-sev-capabilities 2022-04-19 18:22:16 -07:00
virtio-mem-pci.c qapi: Include qom-path in MEMORY_DEVICE_SIZE_CHANGE qapi events 2021-10-02 08:43:21 +02:00
virtio-mem-pci.h
virtio-mem.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
virtio-mmio.c Remove unnecessary minimum_version_id_old fields 2022-01-28 15:38:23 +01:00
virtio-net-pci.c virtio-net: calculating proper msix vectors on init 2021-03-15 16:41:22 +08:00
virtio-pci.c kvm/msi: do explicit commit when adding msi routes 2022-03-15 11:26:20 +01:00
virtio-pci.h Revert "virtio-pci: add support for configure interrupt" 2022-01-10 16:00:02 -05:00
virtio-pmem-pci.c
virtio-pmem-pci.h
virtio-pmem.c Remove qemu-common.h include from most units 2022-04-06 14:31:55 +02:00
virtio-rng-pci.c
virtio-rng.c sysemu: Let VMChangeStateHandler take boolean 'running' argument 2021-03-09 23:13:57 +01:00
virtio-scsi-pci.c
virtio-serial-pci.c
virtio.c virtio-scsi: don't waste CPU polling the event virtqueue 2022-05-09 10:45:04 +01:00