From: Jason Gunthorpe jgg@nvidia.com Sent: Tuesday, May 30, 2023 2:43 AM
On Wed, May 24, 2023 at 08:59:43AM +0000, Tian, Kevin wrote:
At least this looks a reasonable tradeoff to some proprietary VMMs which never adds RO mappings in stage-2 today.
What is the reason for the RO anyhow?
vfio simply follows the permission in the CPU address space.
vBIOS regions are marked as RO there hence also carried to vfio mappings.
Would it be so bad if it was DMA mapped as RW due to the errata?
think of a scenario where the vbios memory is shared by multiple qemu instances then RW allows a malicious VM to modify the shared content then potentially attacking other VMs.
skipping the mapping is safest in this regard.