On Thu, Jun 05, 2025 at 09:47:01PM +0530, Aneesh Kumar K.V wrote:
Jason Gunthorpe jgg@nvidia.com writes:
On Thu, Jun 05, 2025 at 05:33:52PM +0530, Aneesh Kumar K.V wrote:
- /* To ensure no host side MMIO access is possible */
- ret = pci_request_regions_exclusive(pdev, "vfio-pci-tsm");
- if (ret)
goto out_unlock;I am hitting failures here with similar changes. Can you share the Qemu changes needed to make this pci_request_regions_exclusive successful. Also after the TDI is unbound, we want the region ownership backto "vfio-pci" so that things continue to work as non-secure device. I don't see we doing that. I could add a pci_bar_deactivate/pci_bar_activate in userspace which will result in vfio_unmap()/vfio_map(). But that doesn't release the region ownership.
Again, IMHO, we should not be doing this dynamically. VFIO should do pci_request_regions_exclusive() once at the very start and it should stay that way.
There is no reason to change it dynamically.
The only decision to make is if all vfio should switch to exclusive mode or if we need to make it optional for userspace.
We only need the exclusive mode when the device is operating in secure mode, correct? That suggests we’ll need to dynamically toggle this setting based on the device’s security state.
No, if the decision is that VFIO should allow this to be controlled by userspace then userspace will tell iommufd to run in regions_exclusive mode prior to opening the vfio cdev and VFIO will still do it once at open time and never change it.
The only thing request_regions does is block other drivers outside vfio from using this memory space. There is no reason at all to change this dynamically. A CC VMM using VFIO will never use a driver outside VFIO to touch the VFIO controlled memory.
Jason