On Tue, Aug 27, 2024 at 09:59:38AM -0700, Nicolin Chen wrote:

Reorder struct forward declarations to alphabetic order to simplify maintenance, as upcoming patches will add more to the list.

No functional change intended.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

include/linux/iommufd.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

I picked this one up

Thanks, Jason

On 2024/8/28 0:59, Nicolin Chen wrote:

+int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_viommu_alloc *cmd = ucmd->cmd;
• struct iommufd_hwpt_paging *hwpt_paging;
• struct iommufd_viommu *viommu;
• struct iommufd_device *idev;
• int rc;
• if (cmd->flags)

• return -EOPNOTSUPP;
  

• idev = iommufd_get_device(ucmd, cmd->dev_id);

Why does a device reference count is needed here? When is this reference count released after the VIOMMU is allocated?

• if (IS_ERR(idev))

• return PTR_ERR(idev);
  

• hwpt_paging = iommufd_get_hwpt_paging(ucmd, cmd->hwpt_id);
• if (IS_ERR(hwpt_paging)) {

• rc = PTR_ERR(hwpt_paging);
  

• goto out_put_idev;
  

• }
• if (!hwpt_paging->nest_parent) {

• rc = -EINVAL;
  

• goto out_put_hwpt;
  

• }
• if (cmd->type != IOMMU_VIOMMU_TYPE_DEFAULT) {

• rc = -EOPNOTSUPP;
  

• goto out_put_hwpt;
  

• }
• viommu = iommufd_object_alloc(ucmd->ictx, viommu, IOMMUFD_OBJ_VIOMMU);
• if (IS_ERR(viommu)) {

• rc = PTR_ERR(viommu);
  

• goto out_put_hwpt;
  

• }
• viommu->type = cmd->type;
• viommu->ictx = ucmd->ictx;
• viommu->hwpt = hwpt_paging;
• refcount_inc(&viommu->hwpt->common.obj.users);
• cmd->out_viommu_id = viommu->obj.id;
• rc = iommufd_ucmd_respond(ucmd, sizeof(*cmd));
• if (rc)

• goto out_abort;
  

• iommufd_object_finalize(ucmd->ictx, &viommu->obj);
• goto out_put_hwpt;

+out_abort:

• iommufd_object_abort_and_destroy(ucmd->ictx, &viommu->obj);

+out_put_hwpt:

• iommufd_put_object(ucmd->ictx, &hwpt_paging->common.obj);

+out_put_idev:

• iommufd_put_object(ucmd->ictx, &idev->obj);
• return rc;

+}

Thanks, baolu

On Sun, Sep 01, 2024 at 10:27:09PM -0700, Nicolin Chen wrote:

On Sun, Sep 01, 2024 at 10:39:17AM +0800, Baolu Lu wrote:

...

On 2024/8/28 0:59, Nicolin Chen wrote:

...

+int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_viommu_alloc *cmd = ucmd->cmd;
  

• struct iommufd_hwpt_paging *hwpt_paging;
  

• struct iommufd_viommu *viommu;
  

• struct iommufd_device *idev;
  

• int rc;
  

• if (cmd->flags)
  

•         return -EOPNOTSUPP;
  

• idev = iommufd_get_device(ucmd, cmd->dev_id);
  

Why does a device reference count is needed here? When is this reference count released after the VIOMMU is allocated?

Hmm, it was used to get dev->iommu->iommu_dev to pin the VIOMMU to a physical IOMMU instance (in v1). Jason suggested to remove that, yet I didn't realize that this idev is now completely useless.

With that being said, a parent HWPT could be shared across VIOMUs allocated for the same VM. So, I think we do need a dev pointer to know which physical instance the VIOMMU allocates for, especially for a driver-managed VIOMMU.

Eventually you need a way to pin the physical iommu, without pinning any idevs. Not sure how best to do that

Jason

On Wed, Sep 04, 2024 at 10:29:26AM -0700, Nicolin Chen wrote:

On Wed, Sep 04, 2024 at 01:26:21PM -0300, Jason Gunthorpe wrote:

...

On Sun, Sep 01, 2024 at 10:27:09PM -0700, Nicolin Chen wrote:

...

On Sun, Sep 01, 2024 at 10:39:17AM +0800, Baolu Lu wrote:

...

On 2024/8/28 0:59, Nicolin Chen wrote:

...

+int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_viommu_alloc *cmd = ucmd->cmd;
  

• struct iommufd_hwpt_paging *hwpt_paging;
  

• struct iommufd_viommu *viommu;
  

• struct iommufd_device *idev;
  

• int rc;
  

• if (cmd->flags)
  

•         return -EOPNOTSUPP;
  

• idev = iommufd_get_device(ucmd, cmd->dev_id);
  

Why does a device reference count is needed here? When is this reference count released after the VIOMMU is allocated?

Hmm, it was used to get dev->iommu->iommu_dev to pin the VIOMMU to a physical IOMMU instance (in v1). Jason suggested to remove that, yet I didn't realize that this idev is now completely useless.

With that being said, a parent HWPT could be shared across VIOMUs allocated for the same VM. So, I think we do need a dev pointer to know which physical instance the VIOMMU allocates for, especially for a driver-managed VIOMMU.

Eventually you need a way to pin the physical iommu, without pinning any idevs. Not sure how best to do that

Just trying to clarify "without pinning any idevs", does it mean we shouldn't pass in an idev_id to get dev->iommu->iommu_dev?

From userspace we have no choice but to use an idev_id to locate the physical iommu

But since we want to support hotplug it is rather problematic if that idev is permanently locked down.

Otherwise, iommu_probe_device_lock and iommu_device_lock in the iommu.c are good enough to lock dev->iommu and iommu->list. And I think we just need an iommu helper refcounting the dev_iommu (or iommu_device) as we previously discussed.

If you have a ref on an idev then the iommu_dev has to be stable, so you can just incr some refcount and then drop the idev stuff.

Jason

On Wed, Sep 04, 2024 at 08:37:07PM -0300, Jason Gunthorpe wrote:

On Wed, Sep 04, 2024 at 10:29:26AM -0700, Nicolin Chen wrote:

...

On Wed, Sep 04, 2024 at 01:26:21PM -0300, Jason Gunthorpe wrote:

...

On Sun, Sep 01, 2024 at 10:27:09PM -0700, Nicolin Chen wrote:

...

On Sun, Sep 01, 2024 at 10:39:17AM +0800, Baolu Lu wrote:

...

On 2024/8/28 0:59, Nicolin Chen wrote:

...

+int iommufd_viommu_alloc_ioctl(struct iommufd_ucmd *ucmd) +{

• struct iommu_viommu_alloc *cmd = ucmd->cmd;
  

• struct iommufd_hwpt_paging *hwpt_paging;
  

• struct iommufd_viommu *viommu;
  

• struct iommufd_device *idev;
  

• int rc;
  

• if (cmd->flags)
  

•         return -EOPNOTSUPP;
  

• idev = iommufd_get_device(ucmd, cmd->dev_id);
  

Why does a device reference count is needed here? When is this reference count released after the VIOMMU is allocated?

Hmm, it was used to get dev->iommu->iommu_dev to pin the VIOMMU to a physical IOMMU instance (in v1). Jason suggested to remove that, yet I didn't realize that this idev is now completely useless.

With that being said, a parent HWPT could be shared across VIOMUs allocated for the same VM. So, I think we do need a dev pointer to know which physical instance the VIOMMU allocates for, especially for a driver-managed VIOMMU.

Eventually you need a way to pin the physical iommu, without pinning any idevs. Not sure how best to do that

Just trying to clarify "without pinning any idevs", does it mean we shouldn't pass in an idev_id to get dev->iommu->iommu_dev?

From userspace we have no choice but to use an idev_id to locate the physical iommu

But since we want to support hotplug it is rather problematic if that idev is permanently locked down.

...

Otherwise, iommu_probe_device_lock and iommu_device_lock in the iommu.c are good enough to lock dev->iommu and iommu->list. And I think we just need an iommu helper refcounting the dev_iommu (or iommu_device) as we previously discussed.

If you have a ref on an idev then the iommu_dev has to be stable, so you can just incr some refcount and then drop the idev stuff.

Looks like a refcount could only WARN on an unbalanced iommu_dev in iommu_device_unregister() and iommu_device_unregister_bus(), either of which returns void so no way of doing a retry. And their callers would also likely free the entire memory of the driver-level struct where iommu_dev usually locates.. I feel it gets less meaningful to add the refcount if the lifecycle cannot be guaranteed.

You mentioned that actually only the iommufd selftest might hit such a corner case, so perhaps we should do something in the selftest code v.s. the iommu core. What do you think?

Thanks Nicolin

On Tue, Aug 27, 2024 at 09:59:39AM -0700, Nicolin Chen wrote:

+/**

• • struct iommu_viommu_alloc - ioctl(IOMMU_VIOMMU_ALLOC)
• • @size: sizeof(struct iommu_viommu_alloc)
• • @flags: Must be 0
• • @type: Type of the virtual IOMMU. Must be defined in enum iommu_viommu_type
• • @dev_id: The device to allocate this virtual IOMMU for

@dev_id: The device's physical IOMMU will be used to back t he vIOMMU

• • @hwpt_id: ID of a nesting parent HWPT to associate to

A nesting parent HWPT that will provide translation for an vIOMMU DMA

• • @out_viommu_id: Output virtual IOMMU ID for the allocated object
• • Allocate a virtual IOMMU object that holds a (shared) nesting parent HWPT

Allocate a virtual IOMMU object that represents the underlying physical IOMMU's virtualization support. The vIOMMU object is a security isolated slice of the physical IOMMU HW that is unique to a specific VM. Operations global to the IOMMU are connected to the vIOMMU, such as: - Security namespace for guest owned ID, eg guest controlled cache tags - Virtualization of various platforms IDs like RIDs and others - direct assigned invalidation queues - direct assigned interrupts - non-affiliated event reporting - Delivery of paravirtualized invalidation

Jason

On Thu, Sep 05, 2024 at 10:10:38AM -0700, Nicolin Chen wrote:

On Thu, Sep 05, 2024 at 12:53:02PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:39AM -0700, Nicolin Chen wrote:

...

+/**

• • struct iommu_viommu_alloc - ioctl(IOMMU_VIOMMU_ALLOC)
• • @size: sizeof(struct iommu_viommu_alloc)
• • @flags: Must be 0
• • @type: Type of the virtual IOMMU. Must be defined in enum iommu_viommu_type
• • @dev_id: The device to allocate this virtual IOMMU for

@dev_id: The device's physical IOMMU will be used to back t he vIOMMU

...

• • @hwpt_id: ID of a nesting parent HWPT to associate to

A nesting parent HWPT that will provide translation for an vIOMMU DMA

...

• • @out_viommu_id: Output virtual IOMMU ID for the allocated object
• • Allocate a virtual IOMMU object that holds a (shared) nesting parent HWPT

Allocate a virtual IOMMU object that represents the underlying physical IOMMU's virtualization support. The vIOMMU object is a security isolated slice of the physical IOMMU HW that is unique to a specific VM. Operations global to the IOMMU are connected to the vIOMMU, such as:

• Security namespace for guest owned ID, eg guest controlled cache tags
• Virtualization of various platforms IDs like RIDs and others
• direct assigned invalidation queues
• direct assigned interrupts
• non-affiliated event reporting
• Delivery of paravirtualized invalidation

Ack.

Also write something about the HWPT..

Looks like you prefer using "vIOMMU" v.s. "VIOMMU"? I would go through all the patches (QEMU including) to keep that aligned.

Yeah, VIOMMU just for all-caps constants

Jason

On Thu, Sep 05, 2024 at 12:54:54PM -0300, Jason Gunthorpe wrote:

On Tue, Aug 27, 2024 at 09:59:40AM -0700, Nicolin Chen wrote:

...

With a viommu object wrapping a potentially shareable S2 domain, a nested domain should be allocated by associating to a viommu instead. Driver can store this viommu pointer somewhere, so as to later use it calling viommu helpers for virtual device ID lookup and viommu invalidation.

For drivers without a viommu support, keep the parent domain input, which should be just viommu->hwpt->common.domain otherwise.

I've been thinking of add an op for nested allocation since every driver immediately jumps to a special function for nested allocation anyhow without sharing any code.

Adding a new parameter that is nested only seems like a good point to try to do that..

Yea, it makes sense to have a domain_alloc_nested, for hwpt_nested exclusively. Then domain_alloc_user would be for hwpt_paging only.

Thanks Nicolin

On Tue, Aug 27, 2024 at 09:59:41AM -0700, Nicolin Chen wrote:

Now a VIOMMU can wrap a shareable nested parent HWPT. So, it can act like a nested parent HWPT to allocate a nested HWPT.

Support that in the IOMMU_HWPT_ALLOC ioctl handler, and update its kdoc.

Also, associate a viommu to an allocating nested HWPT.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/hw_pagetable.c | 24 ++++++++++++++++++++++-- drivers/iommu/iommufd/iommufd_private.h | 1 + include/uapi/linux/iommufd.h | 12 ++++++------ 3 files changed, 29 insertions(+), 8 deletions(-)

Reviewed-by: Jason Gunthorpe jgg@nvidia.com

Jason

On Thu, Sep 26, 2024 at 04:50:46PM +0800, Yi Liu wrote:

On 2024/8/28 00:59, Nicolin Chen wrote:

...

Now a VIOMMU can wrap a shareable nested parent HWPT. So, it can act like a nested parent HWPT to allocate a nested HWPT.

Support that in the IOMMU_HWPT_ALLOC ioctl handler, and update its kdoc.

Also, associate a viommu to an allocating nested HWPT.

it still not quite clear to me what vIOMMU obj stands for. Here, it is a wrapper of s2 hpwt IIUC. But in the cover letter, vIOMMU obj can instanced per the vIOMMU units in VM.

Yea, the implementation in this version is merely a wrapper. I had a general introduction of vIOMMU in the other reply. And I will put something similar in the next version of the series, so the idea would be bigger than a wrapper.

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here: - If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT. - If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

Thanks Nic

On Fri, Sep 27, 2024 at 12:43:16AM +0000, Tian, Kevin wrote:

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Friday, September 27, 2024 4:11 AM

On Thu, Sep 26, 2024 at 04:50:46PM +0800, Yi Liu wrote:

...

On 2024/8/28 00:59, Nicolin Chen wrote:

...

Now a VIOMMU can wrap a shareable nested parent HWPT. So, it can act

like

...

...

a nested parent HWPT to allocate a nested HWPT.

Support that in the IOMMU_HWPT_ALLOC ioctl handler, and update its

kdoc.

...

...

Also, associate a viommu to an allocating nested HWPT.

it still not quite clear to me what vIOMMU obj stands for. Here, it is a wrapper of s2 hpwt IIUC. But in the cover letter, vIOMMU obj can instanced per the vIOMMU units in VM.

Yea, the implementation in this version is merely a wrapper. I had a general introduction of vIOMMU in the other reply. And I will put something similar in the next version of the series, so the idea would be bigger than a wrapper.

...

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here:

• If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT.
• If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

this is not consistent with previous discussion.

even for 1 vIOMMU per VM there could be multiple vIOMMU objects created in the kernel in case the devices connected to the VM-visible vIOMMU locate behind different physical SMMUs.

we don't expect one vIOMMU object to span multiple physical ones.

I think it's consistent, yet we had different perspectives for a virtual IOMMU instance in the VM: Jason's suggested design for a VM is to have 1-to-1 mapping between virtual IOMMU instances and physical IOMMU instances. So, one vIOMMU is backed by one pIOMMU only, i.e. one vIOMMU object in the kernel.

Your case seems to be the model where a VM has one giant virtual IOMMU instance backed by multiple physical IOMMUs, in which case all the passthrough devices, regardless their associated pIOMMUs, are connected to this shared virtual IOMMU. And yes, this shared virtual IOMMU can have multiple vIOMMU objects.

Regarding these two models, I had listed their pros/cons at (2): https://lore.kernel.org/qemu-devel/cover.1719361174.git.nicolinc@nvidia.com/

(Not 100% sure) VT-d might not have something like vCMDQ, so it can stay in the shared model to simplify certain things, though I feel it may face some similar situation like mapping multiple physical MMIO regions to a single virtual region (undoable!) if some day intel has some similar HW-accelerated feature?

Thanks Nic

On Fri, Sep 27, 2024 at 02:23:16AM +0000, Tian, Kevin wrote:

...

...

...

...

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here:

• If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT.
• If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

this is not consistent with previous discussion.

even for 1 vIOMMU per VM there could be multiple vIOMMU objects created in the kernel in case the devices connected to the VM-visible vIOMMU locate behind different physical SMMUs.

we don't expect one vIOMMU object to span multiple physical ones.

I think it's consistent, yet we had different perspectives for a virtual IOMMU instance in the VM: Jason's suggested design for a VM is to have 1-to-1 mapping between virtual IOMMU instances and physical IOMMU instances. So, one vIOMMU is backed by one pIOMMU only, i.e. one vIOMMU object in the kernel.

Your case seems to be the model where a VM has one giant virtual IOMMU instance backed by multiple physical IOMMUs, in which case all the passthrough devices, regardless their associated pIOMMUs, are connected to this shared virtual IOMMU. And yes, this shared virtual IOMMU can have multiple vIOMMU objects.

yes.

sorry that I should not use "inconsistent" in the last reply. It's more about completeness for what the design allows. 😊

No worries. I'll add more narratives to the next version, likely with another detailed update to the iommufd documentation. This discussion made me realize that we need to clearly write it down.

Thanks! Nic

On Fri, Sep 27, 2024 at 01:38:08PM +0800, Yi Liu wrote:

...

...

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here:

• If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT.
• If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

So if you have two devices assigned to a VM, then you may have two vIOMMUs or one vIOMMU exposed to guest. This depends on whether the two devices are behind the same physical IOMMU. If it's two vIOMMUs, the two can share the s2 hwpt if their physical IOMMU is compatible. is it?

Yes.

To achieve the above, you need to know if the physical IOMMUs of the assigned devices, hence be able to tell if physical IOMMUs are the same and if they are compatible. How would userspace know such infos?

My draft implementation with QEMU does something like this: - List all viommu-matched iommu nodes under /sys/class/iommu: LINKs - Get PCI device's /sys/bus/pci/devices/0000:00:00.0/iommu: LINK0 - Compare the LINK0 against the LINKs

We so far don't have an ID for physical IOMMU instance, which can be an alternative to return via the hw_info call, otherwise.

QEMU then does the routing to assign PCI buses and IORT (or DT). This part is suggested now to move to libvirt though. So, I think at the end of the day, libvirt would run the sys check and assign a device to the corresponding pci bus backed by the correct IOMMU.

This gives an example showing two devices behind iommu0 and third device behind iommu1 are assigned to a VM: -device pxb-pcie.id=pcie.viommu0,bus=pcie.0.... \ # bus for viommu0 -device pxb-pcie.id=pcie.viommu1,bus=pcie.0.... \ # bus for viommu1 -device pcie-root-port,id=pcie.viommu0p0,bus=pcie.viommu0... \ -device pcie-root-port,id=pcie.viommu0p1,bus=pcie.viommu0... \ -device pcie-root-port,id=pcie.viommu1p0,bus=pcie.viommu1... \ -device vfio-pci,bus=pcie.viommu0p0... \ # connect to bus for viommu0 -device vfio-pci,bus=pcie.viommu0p1... \ # connect to bus for viommu0 -device vfio-pci,bus=pcie.viommu1p0... # connect to bus for viommu1

For compatibility to share a stage-2 HWPT, basically we would do a device attach to one of the stage-2 HWPT from the list that VMM should keep. This attach has all the compatibility test, down to the IOMMU driver. If it fails, just allocate a new stage-2 HWPT.

Thanks Nic

On Fri, Sep 27, 2024 at 08:59:25AM -0300, Jason Gunthorpe wrote:

On Thu, Sep 26, 2024 at 11:02:37PM -0700, Nicolin Chen wrote:

...

On Fri, Sep 27, 2024 at 01:38:08PM +0800, Yi Liu wrote:

...

...

...

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here:

• If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT.
• If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

So if you have two devices assigned to a VM, then you may have two vIOMMUs or one vIOMMU exposed to guest. This depends on whether the two devices are behind the same physical IOMMU. If it's two vIOMMUs, the two can share the s2 hwpt if their physical IOMMU is compatible. is it?

Yes.

...

To achieve the above, you need to know if the physical IOMMUs of the assigned devices, hence be able to tell if physical IOMMUs are the same and if they are compatible. How would userspace know such infos?

My draft implementation with QEMU does something like this:

• List all viommu-matched iommu nodes under /sys/class/iommu: LINKs
• Get PCI device's /sys/bus/pci/devices/0000:00:00.0/iommu: LINK0
• Compare the LINK0 against the LINKs

We so far don't have an ID for physical IOMMU instance, which can be an alternative to return via the hw_info call, otherwise.

We could return the sys/class/iommu string from some get_info or something

I had a patch doing an ida alloc for each iommu_dev and returning the ID via hw_info. It wasn't useful at that time, as we went for fail-n-retry for S2 HWPT allocations on multi-pIOMMU platforms.

Perhaps that could be cleaner than returning a string?

...

For compatibility to share a stage-2 HWPT, basically we would do a device attach to one of the stage-2 HWPT from the list that VMM should keep. This attach has all the compatibility test, down to the IOMMU driver. If it fails, just allocate a new stage-2 HWPT.

Ideally just creating the viommu should validate the passed in hwpt is compatible without attaching.

I think I should add a validation between hwpt->domain->owner and dev_iommu_ops(idev->dev) then!

Thanks Nicolin

On Fri, Sep 27, 2024 at 08:12:40PM +0800, Yi Liu wrote:

External email: Use caution opening links or attachments

On 2024/9/27 14:02, Nicolin Chen wrote:

...

On Fri, Sep 27, 2024 at 01:38:08PM +0800, Yi Liu wrote:

...

...

...

Does it mean each vIOMMU of VM can only have one s2 HWPT?

Giving some examples here:

• If a VM has 1 vIOMMU, there will be 1 vIOMMU object in the kernel holding one S2 HWPT.
• If a VM has 2 vIOMMUs, there will be 2 vIOMMU objects in the kernel that can hold two different S2 HWPTs, or share one S2 HWPT (saving memory).

So if you have two devices assigned to a VM, then you may have two vIOMMUs or one vIOMMU exposed to guest. This depends on whether the two devices are behind the same physical IOMMU. If it's two vIOMMUs, the two can share the s2 hwpt if their physical IOMMU is compatible. is it?

Yes.

...

To achieve the above, you need to know if the physical IOMMUs of the assigned devices, hence be able to tell if physical IOMMUs are the same and if they are compatible. How would userspace know such infos?

My draft implementation with QEMU does something like this:

• List all viommu-matched iommu nodes under /sys/class/iommu: LINKs
• Get PCI device's /sys/bus/pci/devices/0000:00:00.0/iommu: LINK0
• Compare the LINK0 against the LINKs

We so far don't have an ID for physical IOMMU instance, which can be an alternative to return via the hw_info call, otherwise.

intel platform has a kind of ID for the physical IOMMUs.

ls /sys/class/iommu/ dmar0 dmar1 dmar10 dmar11 dmar12 dmar13 dmar14 dmar15 dmar16 dmar17 dmar18 dmar19 dmar2 dmar3 dmar4 dmar5 dmar6 dmar7 dmar8 dmar9 iommufd_selftest_iommu.0

Wow, that's a lot of IOMMU devices. I somehow had an impression that Intel uses one physical IOMMU..

Yea, we need something in the core. I had one patch previously: https://github.com/nicolinc/iommufd/commit/b7520901184fd9fa127abb88c1f0be16b...

...

QEMU then does the routing to assign PCI buses and IORT (or DT). This part is suggested now to move to libvirt though. So, I think at the end of the day, libvirt would run the sys check and assign a device to the corresponding pci bus backed by the correct IOMMU.

and also give the correct viommu for the device.

In this design, a pxb bus is exclusively created for a viommu instance, meaning so long as device is assigned to the correct bus number, it'll be linked to the correct viommu.

...

This gives an example showing two devices behind iommu0 and third device behind iommu1 are assigned to a VM: -device pxb-pcie.id=pcie.viommu0,bus=pcie.0.... \ # bus for viommu0 -device pxb-pcie.id=pcie.viommu1,bus=pcie.0.... \ # bus for viommu1 -device pcie-root-port,id=pcie.viommu0p0,bus=pcie.viommu0... \ -device pcie-root-port,id=pcie.viommu0p1,bus=pcie.viommu0... \ -device pcie-root-port,id=pcie.viommu1p0,bus=pcie.viommu1... \ -device vfio-pci,bus=pcie.viommu0p0... \ # connect to bus for viommu0 -device vfio-pci,bus=pcie.viommu0p1... \ # connect to bus for viommu0 -device vfio-pci,bus=pcie.viommu1p0... # connect to bus for viommu1

is the viommu# an "-object" or just hints to describe the relationship between device and viommu and build the IORT?

Yes. Eric actually suggested something better for the relationship between pxb-pcie with viommu:

-device pxb-pcie,bus_nr=100,id=pci.12,numa_node=0,bus=pcie.0,addr=0x3,iommu=<id> from: https://lore.kernel.org/qemu-devel/9c3e95c2-1035-4a55-89a3-97165ef32f18@redh...

This would likely help the IORT or Device Tree building.

Currently, ARM VIRT machine doesn't create a vSMMU via a "-device" string, i.e. not a plugable module yet. I recall Intel does. So, you guys are one step ahead.

I'm considering how it would look like if the QEMU Intel vIOMMU is going to use the viommu obj. Currently, we only support one virtual VT-d due to some considerations like hot-plug. Per your conversation with Kevin, it seems to be supported. So there is no strict connection between vIOMMU and vIOMMU obj. But the vIOMMU obj can only be connected with one pIOMMU. right?

Yes. Most of my earlier vSMMU versions did something similar, e.g. one shared vSMMU instance in the QEMU holding a list of S2 hwpts. With this new iommufd viommu object, it would be a list of viommu objs. Eric suggested that HostIOMMUDevice could store any pIOMMU info. So, compatibility check can be done with that (or the old fashioned way of trying an device attach).

The invalidation on the other hand needs to identify each trapped invalidation request to distribute it to the correct viommu. This is also one of the cons of this shared viommu model: invalidation inefficiency -- there can be some cases where we fail to identify which viommu to distribute so we have to broadcast to all viommus. With a multi-viommu-instance model, invalidations are distributed naturally by the guest kernel.

Thanks Nicolin

On Thu, Sep 05, 2024 at 01:03:53PM -0300, Jason Gunthorpe wrote:

On Tue, Aug 27, 2024 at 09:59:43AM -0700, Nicolin Chen wrote:

...

Introduce a pair of new ioctls to set/unset a per-viommu virtual device id that should be linked to a physical device id via an idev pointer.

Given some of the other discussions around CC I suspect we should rename these to 'create/destroy virtual device' with an eye that eventually they would be extended like other ops with per-CC platform data.

ie this would be the interface to tell the CC trusted world that a secure device is being added to a VM with some additional flags..

Right now it only conveys the vRID parameter of the virtual device being created.

A following question is if these objects should have their own IDs in the iommufd space too, and then unset is not unset but just a normal destroy object. If so then the thing you put in the ids xarray would also just be a normal object struct.

This is probably worth doing if this is going to grow more CC stuff later.

Having to admit that I have been struggling to find a better name than set_vdev_id, I also thought about something similar to that "create/destroy virtual device', yet was not that confident since we only have virtual device ID in its data structure. Also, the virtual device sounds a bit confusing, given we already have idev.

That being said, if we have a clear picture that in the long term we would extend it to hold more information, I think it could be a smart move.

Perhaps virtual device can have its own "attach" to vIOMMU? Or would you still prefer attaching via proxy hwpt_nested?

Thanks Nicolin

On Thu, Sep 05, 2024 at 02:43:26PM -0300, Jason Gunthorpe wrote:

On Thu, Sep 05, 2024 at 10:37:45AM -0700, Nicolin Chen wrote:

...

we only have virtual device ID in its data structure. Also, the virtual device sounds a bit confusing, given we already have idev.

idev is "iommufd device" which is the physical device

The virtual device is the host side handle of a device in a VM.

Yea, we need that narrative in kdoc to clearly separate them.

...

That being said, if we have a clear picture that in the long term we would extend it to hold more information, I think it could be a smart move.

Perhaps virtual device can have its own "attach" to vIOMMU? Or would you still prefer attaching via proxy hwpt_nested?

I was thinking just creating it against a vIOMMU is an effective "attach" and the virtual device is permanently tied to the vIOMMU at creation time.

Ah, right! The create is per-viommu, so it's being attached.

Nicolin

On Wed, Sep 11, 2024 at 06:19:10AM +0000, Tian, Kevin wrote:

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Friday, September 6, 2024 4:15 AM

On Thu, Sep 05, 2024 at 02:43:26PM -0300, Jason Gunthorpe wrote:

...

On Thu, Sep 05, 2024 at 10:37:45AM -0700, Nicolin Chen wrote:

...

That being said, if we have a clear picture that in the long term we would extend it to hold more information, I think it could be a smart move.

Perhaps virtual device can have its own "attach" to vIOMMU? Or would you still prefer attaching via proxy hwpt_nested?

I was thinking just creating it against a vIOMMU is an effective "attach" and the virtual device is permanently tied to the vIOMMU at creation time.

Ah, right! The create is per-viommu, so it's being attached.

presumably we also need check compatibility between the idev which the virtual device is created against and the stage-2 pgtable, as a normal attach required?

If that's required, it can be a part of "create virtual device", where idev and viommu (holding s2 hwpt) would be all available?

Thanks Nicolin

On Wed, Sep 11, 2024 at 07:18:52AM +0000, Tian, Kevin wrote:

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, September 11, 2024 3:12 PM

On Wed, Sep 11, 2024 at 06:19:10AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Friday, September 6, 2024 4:15 AM

On Thu, Sep 05, 2024 at 02:43:26PM -0300, Jason Gunthorpe wrote:

...

On Thu, Sep 05, 2024 at 10:37:45AM -0700, Nicolin Chen wrote:

...

That being said, if we have a clear picture that in the long term we would extend it to hold more information, I think it could be a smart move.

Perhaps virtual device can have its own "attach" to vIOMMU? Or would you still prefer attaching via proxy hwpt_nested?

I was thinking just creating it against a vIOMMU is an effective "attach" and the virtual device is permanently tied to the vIOMMU at creation time.

Ah, right! The create is per-viommu, so it's being attached.

presumably we also need check compatibility between the idev which the virtual device is created against and the stage-2 pgtable, as a normal attach required?

If that's required, it can be a part of "create virtual device", where idev and viommu (holding s2 hwpt) would be all available?

yes

Oh, I misread your question actually. I think it's about a matching validation between dev->iommu->iommu_dev and vIOMMU->iommu_dev.

Thanks Nicolin

On Tue, Oct 01, 2024 at 01:54:05AM -0700, Nicolin Chen wrote:

On Thu, Sep 05, 2024 at 10:38:23AM -0700, Nicolin Chen wrote:

...

On Thu, Sep 05, 2024 at 01:03:53PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:43AM -0700, Nicolin Chen wrote:

...

Introduce a pair of new ioctls to set/unset a per-viommu virtual device id that should be linked to a physical device id via an idev pointer.

Given some of the other discussions around CC I suspect we should rename these to 'create/destroy virtual device' with an eye that eventually they would be extended like other ops with per-CC platform data.

ie this would be the interface to tell the CC trusted world that a secure device is being added to a VM with some additional flags..

Right now it only conveys the vRID parameter of the virtual device being created.

A following question is if these objects should have their own IDs in the iommufd space too, and then unset is not unset but just a normal destroy object. If so then the thing you put in the ids xarray would also just be a normal object struct.

I found that adding it as a new object makes things a lot of easier since a vdevice can take refcounts of both viommu and idev. So both destroy() callbacks wouldn't be bothered.

While confirming if I am missing something from the review comments, I am not quite sure what is "the thing you put in the ids xarray".. I only added a vRID xarray per viommu, yet that doesn't seem to be able to merge into the normal object struct. Mind elaborating?

I would think to point the vRID xarray directly to the new iommufd vdevice object

Jason

On Fri, Sep 27, 2024 at 11:01:41AM -0300, Jason Gunthorpe wrote:

On Fri, Sep 27, 2024 at 01:50:52PM +0000, Mostafa Saleh wrote:

...

My understanding of IOMMUFD is very little, but AFAICT, that means that it’s assumed that each device can only have one stream ID(RID)?

As I can see in patch 17 in arm_smmu_convert_viommu_vdev_id(), it converts the virtual ID to a physical one using master->streams[0].id.

Is that correct or am I missing something?

As I am looking at similar problem for paravirtual IOMMU with pKVM, where the UAPI would be something similar to:

GET_NUM_END_POINTS(dev) => nr_sids

SET_END_POINT_VSID(dev, sid_index, vsid)

Similar to what VFIO does with IRQs.

As a device can have many SIDs.

We don't support multi SID through this interface, at least in this version.

To do multi-sid you have to inform the VM of all the different pSIDs the device has and then setup the vSID/pSID translation to map them all to the HW invalidation logic.

Why would the VM need to know the pSID? The way I view this is quite close to how irq works, the VM only views the GSI which is the virtualized number. The VMM then would need to configure vSID->pSID translation, also without knowing the actual pSID, just how many SIDs are there per-device; very similar to how it configures IRQs through VFIO_DEVICE_GET_INFO/VFIO_DEVICE_SET_IRQS.

And as long as we only allow 1:1 vSID to pSID mapping, I guess it would be easy to implement.

Which is alot more steps, and we have no use case right now. Multi-sid is also not something I expect to see in any modern PCI device, and this is VFIO PCI...

Ah, I thought IOMMUFD would be used instead of VFIO_TYPE1*, which should cover platform devices (VFIO-platform) or am I missing something?

And multi-SIDs is common in platform devices and this would be quite restricting, and I was hoping to support the pKVM vIOMMU through IOMMUFD interface.

If possible, can the UAPI be designed with this in mind, even if not implemented now?

Thanks, Mostafa

Jason

On Fri, Sep 27, 2024 at 3:58 PM Jason Gunthorpe jgg@nvidia.com wrote:

On Fri, Sep 27, 2024 at 02:22:20PM +0000, Mostafa Saleh wrote:

...

...

We don't support multi SID through this interface, at least in this version.

To do multi-sid you have to inform the VM of all the different pSIDs the device has and then setup the vSID/pSID translation to map them all to the HW invalidation logic.

Why would the VM need to know the pSID?

It doesn't need to know the pSID exactly, but it needs to know all the pSIDs that exist and have them be labeled with vSIDs.

With cmdq direct assignment the VM has to issue an ATS invalidation for each and every physical device using its vSID. There is no HW path to handle a 1:N v/p SID relationship.

I see, that's for the cmdq assignment.

...

Ah, I thought IOMMUFD would be used instead of VFIO_TYPE1*, which should cover platform devices (VFIO-platform) or am I missing something?

It does work with platform, but AFAIK nobody is interested in that so it hasn't been any focus. Enabling multi-sid nesting, sub stream ids, etc is some additional work I think.

But what I mean is the really hard use case for the vSID/pSID mapping is ATS invalidation and you won't use ATS invalidation on platform so multi-sid likely doesn't matter.

STE/CD invalidation could possibly be pushed down through the per-domain ioctl and replicated to all domain attachments. We don't have code in the series to do that, but it could work from a uAPI perspective.

...

If possible, can the UAPI be designed with this in mind, even if not implemented now?

It is reasonable to ask. I think things are extensible enough. I'd imagine we can add a flag 'secondary ID' and then a new field 'secondary ID index' to the vdev operations when someone wants to take this on.

Makes sense, I can take this when I start doing the pKVM work with IOMMUFD, in case it wasn't supported by then.

Thanks, Mostafa

Jason

On Fri, Oct 04, 2024 at 02:32:28PM +1000, Alexey Kardashevskiy wrote:

...

+/**

• • struct iommu_viommu_set_vdev_id - ioctl(IOMMU_VIOMMU_SET_VDEV_ID)
• • @size: sizeof(struct iommu_viommu_set_vdev_id)
• • @viommu_id: viommu ID to associate with the device to store its virtual ID
• • @dev_id: device ID to set its virtual ID
• • @__reserved: Must be 0
• • @vdev_id: Virtual device ID
• • Set a viommu-specific virtual ID of a device
• */

+struct iommu_viommu_set_vdev_id {

• __u32 size;
  

• __u32 viommu_id;
  

• __u32 dev_id;
  

Is this ID from vfio_device_bind_iommufd.out_devid?

Yes.

...

• __u32 __reserved;
  

• __aligned_u64 vdev_id;
  

What is the nature of this id? It is not the guest's BDFn, is it? The

Not exactly but certainly can be related. Explaining below..

code suggests it is ARM's "SID" == "stream ID" and "

Yes. That's the first use case of that.

a device might be able to generate multiple StreamIDs" (how, why?) 🤯 And these streams seem to have nothing to do with PCIe IDE streams, right?

PCI device only has one stream ID per its SMMU.

So the Stream ID is more like a channel ID or client ID from the SMMU (IOMMU) view. A PCI device's Stream ID can be calculated from the BDF numbers + the Stream-ID base of that PCI bus.

That said, this is all about IOMMU. So, it is likely more natural to forward an IOMMU-specific ID (vStream ID for a vSMMU) v.s. BDF.

For my SEV-TIO exercise ("trusted IO"), I am looking for a kernel interface to pass the guest's BDFs for a specific host device (which is passed through) and nothing in the kernel has any knowledge of it atm, is this the right place, or another ioctl() is needed here?

Sorry, I am too ignorant about ARM :)

We are reworking this ioctl to an IOMMU_VDEVICE_ALLOC cmd, meaning a virtual device allocation. A virtual device is another bond when an iommufd_device connects to an iommufd_viommu in the VM. The name "vDEVICE" and "virtual device" still need to go through discussion, so they aren't finalized. But the idea here is to have a structure to gather all virtualization information of the intersection of the device and the vIOMMU in the VM.

On the other hand, BDF is very PCI specific yet IOMMU independent. E.g. it could exist for a PCI device even without a vIOMMU in the VM, i.e. there is no vDEVICE in such case. Right?

So, if your use case relies on IOMMU and it is even a part of the IOMMU virtualization features, I think you are looking at the right place. And we should discuss how to incorporate that. Otherwise, I feel the struct vfio_pci might be the one to extend?

...

+}; +#define IOMMU_VIOMMU_SET_VDEV_ID _IO(IOMMUFD_TYPE, IOMMUFD_CMD_VIOMMU_SET_VDEV_ID)

+/**

• • struct iommu_viommu_unset_vdev_id - ioctl(IOMMU_VIOMMU_UNSET_VDEV_ID)
• • @size: sizeof(struct iommu_viommu_unset_vdev_id)
• • @viommu_id: viommu ID associated with the device to delete its virtual ID
• • @dev_id: device ID to unset its virtual ID
• • @__reserved: Must be 0
• • @vdev_id: Virtual device ID (for verification)
• • Unset a viommu-specific virtual ID of a device
• */

+struct iommu_viommu_unset_vdev_id {

• __u32 size;
  

• __u32 viommu_id;
  

• __u32 dev_id;
  

• __u32 __reserved;
  

• __aligned_u64 vdev_id;
  

+}; +#define IOMMU_VIOMMU_UNSET_VDEV_ID _IO(IOMMUFD_TYPE, IOMMUFD_CMD_VIOMMU_UNSET_VDEV_ID) #endif

Nit: "git format-patch -O orderfile" makes patches nicer by putting the documentation first (.h before .c, in this case) with the "ordefile" looking like this:

=== *.txt configure *Makefile* *.json *.h

*.c

Interesting :)

Will try it!

Thanks Nicolin

On Fri, Oct 04, 2024 at 08:41:47AM -0300, Jason Gunthorpe wrote:

On Fri, Oct 04, 2024 at 02:32:28PM +1000, Alexey Kardashevskiy wrote:

...

For my SEV-TIO exercise ("trusted IO"), I am looking for a kernel interface to pass the guest's BDFs for a specific host device (which is passed through) and nothing in the kernel has any knowledge of it atm, is this the right place, or another ioctl() is needed here?

We probably need to add the vRID as well to this struct for that reason.

"vRID"/"vBDF" doesn't sound very generic to me to put in this structure, though PCI devices are and very likely will be the only users of this Virtual Device for a while. Any good idea?

Also, I am wondering if the uAPI structure of Virtual Device should have a driver-specific data structure. And the vdev_id should be in the driver-specific struct. So, it could stay in corresponding naming, "Stream ID", "Device ID" or "Context ID" v.s. a generic "Virtual ID" in the top-level structure? Then, other info like CCA can be put in the driver-level structure of SMMU's.

The vdev_id is the iommu handle, and there is a platform specific transformation between Bus/Device/Function and the iommu handle. In some cases this is math, in some cases it is ACPI/DT tables or something.

So I think the kernel should not make an assumption about the relationship.

Agreed. That also implies that a vRID is quite independent to the IOMMU right? So, I think that the reason of adding a vRID to the virtual deivce uAPI/structure should be IOMMU requiring it?

Thanks Nicolin

On Fri, Oct 04, 2024 at 03:50:19PM -0300, Jason Gunthorpe wrote:

On Fri, Oct 04, 2024 at 11:13:46AM -0700, Nicolin Chen wrote:

...

On Fri, Oct 04, 2024 at 08:41:47AM -0300, Jason Gunthorpe wrote:

...

On Fri, Oct 04, 2024 at 02:32:28PM +1000, Alexey Kardashevskiy wrote:

...

For my SEV-TIO exercise ("trusted IO"), I am looking for a kernel interface to pass the guest's BDFs for a specific host device (which is passed through) and nothing in the kernel has any knowledge of it atm, is this the right place, or another ioctl() is needed here?

We probably need to add the vRID as well to this struct for that reason.

"vRID"/"vBDF" doesn't sound very generic to me to put in this structure, though PCI devices are and very likely will be the only users of this Virtual Device for a while. Any good idea?

It isn't necessarily bad to have a pci field as long as we can somehow understand when it is used.

OK.

...

Also, I am wondering if the uAPI structure of Virtual Device should have a driver-specific data structure. And the vdev_id should be in the driver-specific struct. So, it could stay in corresponding naming, "Stream ID", "Device ID" or "Context ID" v.s. a generic "Virtual ID" in the top-level structure? Then, other info like CCA can be put in the driver-level structure of SMMU's.

I'd to avoid a iommu-driver specific structure here, but I fear we will have a "lowervisor" (sigh) specific structure for the widely varied CC/pkvm/etc world.

The design of the structure also impacts how we implement the API between iommufd and the drivers. Right now, forwarding the ID via a function parameter is fine, but we would need a user structure once we have more stuff to forward.

With that, I wonder what is better for the initial version of this structure, a generic virtual ID or a driver-named ID like "Stream ID"? The latter might be more understandable/flexible, so we won't need to justify a generic virtual ID along the way if something changes in the nature?

...

Agreed. That also implies that a vRID is quite independent to the IOMMU right? So, I think that the reason of adding a vRID to the virtual deivce uAPI/structure should be IOMMU requiring it?

I would like to use this API to link in the CC/pkvm/etc world, and use it to create not just the vIOMMU components but link up to the "lowervisor" components as well, since it is all the same stuff basically.

That sounds wider than what I defined it for in my patch: * struct iommu_vdevice_alloc - ioctl(IOMMU_VDEVICE_ALLOC) * ... * Allocate a virtual device instance (for a physical device) against a vIOMMU. * This instance holds the device's information in a VM, related to its vIOMMU.

Would you please help rephrase it? It'd be also helpful for me to update the doc.

Though I feel slightly odd if we define it wider than "vIOMMU" since this is an iommufd header...

Thanks Nicolin

On Fri, Oct 04, 2024 at 05:17:46PM -0300, Jason Gunthorpe wrote:

On Fri, Oct 04, 2024 at 12:25:19PM -0700, Nicolin Chen wrote:

...

With that, I wonder what is better for the initial version of this structure, a generic virtual ID or a driver-named ID like "Stream ID"? The latter might be more understandable/flexible, so we won't need to justify a generic virtual ID along the way if something changes in the nature?

I think the name could be a bit more specific "viommu_device_id" maybe? And elaborate in the kdoc that this is about the identifier that the iommu HW itself uses.

A "vIOMMU Device ID" might sound a bit confusing with an ID of a vIOMMU itself :-/

At this moment, I named it "virt_id" in uAPI with a description: " * @virt_id: Virtual device ID per vIOMMU"

I could add to that (or just in the documentation): "e.g. ARM's Stream ID, AMD's DeviceID, Intel's Context Table ID" to clarify it further.

...

That sounds wider than what I defined it for in my patch:

• struct iommu_vdevice_alloc - ioctl(IOMMU_VDEVICE_ALLOC)
• ...
• Allocate a virtual device instance (for a physical device) against a vIOMMU.
• This instance holds the device's information in a VM, related to its vIOMMU.

Would you please help rephrase it? It'd be also helpful for me to update the doc.

I think that is still OK for the moment.

...

Though I feel slightly odd if we define it wider than "vIOMMU" since this is an iommufd header...

The notion I have is that vIOMMU would expand to encompass not just the physical hypervisor controled vIOMMU but also the vIOMMU controlled by the trusted "lowervisor" in a pkvm/cc/whatever world.

Alexey is working on vIOMMU support in CC which has the trusted world do some of the trusted vIOMMU components. I'm hoping the other people in this area will look at his design and make it fit nicely to everyone.

Oh, I didn't connect the dots that lowervisor must rely on the vIOMMU too -- I'd need to check the CC stuff in detail. In that case, having it in vIOMMU uAPI totally makes sense.

Thanks Nicolin

On Tue, Aug 27, 2024 at 09:59:45AM -0700, Nicolin Chen wrote:

Add a default_viommu_ops with a new op for cache invaldiation, similar to the cache_invalidate_user op in structure iommu_domain_ops, but wider. An IOMMU driver that allocated a nested domain with a core-managed viommu is able to use the same viommu pointer for this cache invalidation API.

ARM SMMUv3 for example supports IOTLB and ATC device cache invaldiations. The IOTLB invalidation is per-VMID, held currently by a parent S2 domain. The ATC invalidation is per device (Stream ID) that should be tranlsated by a virtual device ID lookup table. Either case fits the viommu context.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/iommufd_private.h | 3 +++ drivers/iommu/iommufd/viommu.c | 3 +++ include/linux/iommu.h | 5 +++++ include/linux/iommufd.h | 19 +++++++++++++++++++ 4 files changed, 30 insertions(+)

It looks OK

Reviewed-by: Jason Gunthorpe jgg@nvidia.com

Jason

On Tue, Aug 27, 2024 at 09:59:46AM -0700, Nicolin Chen wrote:

With a VIOMMU object, use space can flush any IOMMU related cache that can be directed using the viommu. It is similar to IOMMU_HWPT_INVALIDATE uAPI, but can cover a wider range than IOTLB, such as device cache or desciprtor cache.

Allow hwpt_id of the iommu_hwpt_invalidate structure to carry a viommu_id, and reuse the IOMMU_HWPT_INVALIDATE uAPI for VIOMMU invalidations. Driver can define a different structure for VIOMMU invalidations v.s. HWPT ones.

Update the uAPI, kdoc, and selftest case accordingly.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/hw_pagetable.c | 32 +++++++++++++++++++------ include/uapi/linux/iommufd.h | 9 ++++--- tools/testing/selftests/iommu/iommufd.c | 4 ++-- 3 files changed, 33 insertions(+), 12 deletions(-)

Reviewed-by: Jason Gunthorpe jgg@nvidia.com

Jason

On Tue, Aug 27, 2024 at 09:59:47AM -0700, Nicolin Chen wrote:

Driver can call the iommufd_viommu_find_device() to find a device pointer using its per-viommu virtual ID. The returned device must be protected by the pair of iommufd_viommu_lock/unlock_vdev_id() function.

Put these three functions into a new viommu_api file, to build it with the IOMMUFD_DRIVER config.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/Makefile | 2 +- drivers/iommu/iommufd/viommu_api.c | 39 ++++++++++++++++++++++++++++++ include/linux/iommufd.h | 16 ++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 drivers/iommu/iommufd/viommu_api.c

I still think this is better to just share the struct content with the driver, eventually we want to do this anyhow as the driver will want to use container_of() techniques to reach its private data.

+/*

• • Find a device attached to an VIOMMU object using a virtual device ID that was
• • set via an IOMMUFD_CMD_VIOMMU_SET_VDEV_ID. Callers of this function must call
• • iommufd_viommu_lock_vdev_id() prior and iommufd_viommu_unlock_vdev_id() after
• • Return device or NULL.
• */

+struct device *iommufd_viommu_find_device(struct iommufd_viommu *viommu, u64 id) +{

• struct iommufd_vdev_id *vdev_id;
• lockdep_assert_held(&viommu->vdev_ids_rwsem);
• xa_lock(&viommu->vdev_ids);
• vdev_id = xa_load(&viommu->vdev_ids, (unsigned long)id);
• xa_unlock(&viommu->vdev_ids);

No need for this lock, xa_load is rcu safe against concurrent writer

Jason

On Thu, Sep 05, 2024 at 10:53:31AM -0700, Nicolin Chen wrote:

On Thu, Sep 05, 2024 at 01:14:15PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:47AM -0700, Nicolin Chen wrote:

...

Driver can call the iommufd_viommu_find_device() to find a device pointer using its per-viommu virtual ID. The returned device must be protected by the pair of iommufd_viommu_lock/unlock_vdev_id() function.

Put these three functions into a new viommu_api file, to build it with the IOMMUFD_DRIVER config.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/Makefile | 2 +- drivers/iommu/iommufd/viommu_api.c | 39 ++++++++++++++++++++++++++++++ include/linux/iommufd.h | 16 ++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 drivers/iommu/iommufd/viommu_api.c

I still think this is better to just share the struct content with the driver, eventually we want to do this anyhow as the driver will want to use container_of() techniques to reach its private data.

In my mind, exposing everything to the driver is something that we have to (for driver-managed structures) v.s. we want to... Even in that case, a driver actually only need to know the size of the core structure, without touching what's inside(?).

I am a bit worried that drivers would abuse the content in the core-level structure.. Providing a set of API would encourage them to keep the core structure intact, hopefully..

This is always a tension in the kernel. If the core apis can be nice and tidy then it is a reasonable direction

But here I think we've cross some threshold where the APIs are complex, want to be inlined and really we just want to expose data not APIs to drivers.

...

No need for this lock, xa_load is rcu safe against concurrent writer

I see iommufd's device.c and main.c grab xa_lock before xa_load?

That is not to protect the xa_load, it is to protect the lifetime of pointer it returns

Jason

On Wed, Sep 11, 2024 at 08:17:22PM -0700, Nicolin Chen wrote:

On Wed, Sep 11, 2024 at 08:11:03PM -0300, Jason Gunthorpe wrote:

...

On Thu, Sep 05, 2024 at 10:53:31AM -0700, Nicolin Chen wrote:

...

On Thu, Sep 05, 2024 at 01:14:15PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:47AM -0700, Nicolin Chen wrote:

...

Driver can call the iommufd_viommu_find_device() to find a device pointer using its per-viommu virtual ID. The returned device must be protected by the pair of iommufd_viommu_lock/unlock_vdev_id() function.

Put these three functions into a new viommu_api file, to build it with the IOMMUFD_DRIVER config.

Signed-off-by: Nicolin Chen nicolinc@nvidia.com

drivers/iommu/iommufd/Makefile | 2 +- drivers/iommu/iommufd/viommu_api.c | 39 ++++++++++++++++++++++++++++++ include/linux/iommufd.h | 16 ++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 drivers/iommu/iommufd/viommu_api.c

I still think this is better to just share the struct content with the driver, eventually we want to do this anyhow as the driver will want to use container_of() techniques to reach its private data.

In my mind, exposing everything to the driver is something that we have to (for driver-managed structures) v.s. we want to... Even in that case, a driver actually only need to know the size of the core structure, without touching what's inside(?).

I am a bit worried that drivers would abuse the content in the core-level structure.. Providing a set of API would encourage them to keep the core structure intact, hopefully..

This is always a tension in the kernel. If the core apis can be nice and tidy then it is a reasonable direction

But here I think we've cross some threshold where the APIs are complex, want to be inlined and really we just want to expose data not APIs to drivers.

OK. I'll think of a rework. And might need another justification for a DEFAULT type of vIOMMU object to fit in.

I tried exposing the struct iommufd_viommu to drivers, and was able to drop a couple of helpers, except these two:

struct device *vdev_to_dev(struct iommufd_vdevice *vdev) { return vdev ? vdev->idev->dev : NULL; } // Without it, we need to expose struct iommufd_device.

struct iommu_domain * iommufd_viommu_to_parent_domain(struct iommufd_viommu *viommu) { if (!viommu || !viommu->hwpt) return NULL; return viommu->hwpt->common.domain; } // Without it, we need to expose struct iommufd_hwpt_page.

Thanks Nicolin

On Mon, Oct 07, 2024 at 12:38:37PM -0300, Jason Gunthorpe wrote:

On Fri, Oct 04, 2024 at 10:19:43PM -0700, Nicolin Chen wrote:

...

I tried exposing the struct iommufd_viommu to drivers, and was able to drop a couple of helpers, except these two:

struct device *vdev_to_dev(struct iommufd_vdevice *vdev) { return vdev ? vdev->idev->dev : NULL; } // Without it, we need to expose struct iommufd_device.

struct iommu_domain * iommufd_viommu_to_parent_domain(struct iommufd_viommu *viommu) { if (!viommu || !viommu->hwpt) return NULL; return viommu->hwpt->common.domain; } // Without it, we need to expose struct iommufd_hwpt_page.

It seems OK, there isn't really locking entanglements or performance path on this stuff?

----- The typical use case of the first one is like: dev = vdev_to_dev(xa_load(&viommu->vdevs, (unsigned long)vdev_id)); so I am asking for: /* Caller should lock via viommu->vdevs_rwsem with proper permission */

----- And for the second one: /* * Convert a viommu to the encapsulated nesting parent domain. A caller must be * aware of the life cycle of the viommu pointer: only call this function in a * callback functions of viommu_alloc or a viommu op. */ -----

Thanks Nicolin

On Mon, Oct 07, 2024 at 02:11:19PM -0300, Jason Gunthorpe wrote:

On Mon, Oct 07, 2024 at 09:36:18AM -0700, Nicolin Chen wrote:

...

On Mon, Oct 07, 2024 at 12:38:37PM -0300, Jason Gunthorpe wrote:

...

On Fri, Oct 04, 2024 at 10:19:43PM -0700, Nicolin Chen wrote:

...

I tried exposing the struct iommufd_viommu to drivers, and was able to drop a couple of helpers, except these two:

struct device *vdev_to_dev(struct iommufd_vdevice *vdev) { return vdev ? vdev->idev->dev : NULL; } // Without it, we need to expose struct iommufd_device.

struct iommu_domain * iommufd_viommu_to_parent_domain(struct iommufd_viommu *viommu) { if (!viommu || !viommu->hwpt) return NULL; return viommu->hwpt->common.domain; } // Without it, we need to expose struct iommufd_hwpt_page.

It seems OK, there isn't really locking entanglements or performance path on this stuff?

---

The typical use case of the first one is like: dev = vdev_to_dev(xa_load(&viommu->vdevs, (unsigned long)vdev_id)); so I am asking for: /* Caller should lock via viommu->vdevs_rwsem with proper permission */

Why would vdev_to_dev need that locking? The viommu cannot change hwpt during its lifecycle?

This is for vdev/dev v.s. hwpt. We need the lock for viommu's vdev xarray.

Yet, giving a 2nd thought, I feel the lock would be useless if a driver tries to refer the returned vdev (with this helper) after the vdev object is destroyed..

We could only note something similar that caller must be aware of the life cycle of vdev itself..

Nicolin

On Mon, Oct 07, 2024 at 03:28:16PM -0300, Jason Gunthorpe wrote:

On Mon, Oct 07, 2024 at 10:25:01AM -0700, Nicolin Chen wrote:

...

This is for vdev/dev v.s. hwpt. We need the lock for viommu's vdev xarray.

Yet, giving a 2nd thought, I feel the lock would be useless if a driver tries to refer the returned vdev (with this helper) after the vdev object is destroyed..

We could only note something similar that caller must be aware of the life cycle of vdev itself..

Yes, I imagined you'd use the xa_lock for this an it solves both problems at once.

Ah! We don't even need a rwsem then..

Thanks! Nicolin

On Thu, Sep 05, 2024 at 01:23:17PM -0300, Jason Gunthorpe wrote:

On Tue, Aug 27, 2024 at 09:59:53AM -0700, Nicolin Chen wrote:

...

static const struct iommu_domain_ops arm_smmu_nested_ops = { .get_msi_mapping_domain = arm_smmu_get_msi_mapping_domain, .attach_dev = arm_smmu_attach_dev_nested, .free = arm_smmu_domain_nested_free,

• .cache_invalidate_user = arm_smmu_cache_invalidate_user,

};

I think we should drop this op. The original intention was to do things in parts to split up the patches, but it turns out this is functionally useless so lets not even expose it to userspace.

So the patch can maybe be split differently and combined with the next patch

Ack. I will see what I can do to submit it cleanly.

Thanks Nicolin

On Tue, Aug 27, 2024 at 09:59:54AM -0700, Nicolin Chen wrote:

+static int arm_smmu_viommu_cache_invalidate(struct iommufd_viommu *viommu,

• 			    struct iommu_user_data_array *array)
  

+{

• struct iommu_domain *domain = iommufd_viommu_to_parent_domain(viommu);
• return __arm_smmu_cache_invalidate_user(

• 	to_smmu_domain(domain), viommu, array);
  

I'd like to have the viommu struct directly hold the VMID. The nested parent should be sharable between multiple viommus, it doesn't make any sense that it would hold the vmid.

This is struggling because it is trying too hard to not have the driver allocate the viommu, and I think we should just go ahead and do that. Store the vmid, today copied from the nesting parent in the vmid private struct. No need for iommufd_viommu_to_parent_domain(), just rework the APIs to pass the vmid down not a domain.

Jason

On Thu, Sep 05, 2024 at 11:00:49AM -0700, Nicolin Chen wrote:

On Thu, Sep 05, 2024 at 01:20:39PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:54AM -0700, Nicolin Chen wrote:

...

+static int arm_smmu_viommu_cache_invalidate(struct iommufd_viommu *viommu,

• 			    struct iommu_user_data_array *array)
  

+{

• struct iommu_domain *domain = iommufd_viommu_to_parent_domain(viommu);
• return __arm_smmu_cache_invalidate_user(

• 	to_smmu_domain(domain), viommu, array);
  

I'd like to have the viommu struct directly hold the VMID. The nested parent should be sharable between multiple viommus, it doesn't make any sense that it would hold the vmid.

This is struggling because it is trying too hard to not have the driver allocate the viommu, and I think we should just go ahead and do that. Store the vmid, today copied from the nesting parent in the vmid private struct. No need for iommufd_viommu_to_parent_domain(), just rework the APIs to pass the vmid down not a domain.

OK. When I designed all this stuff, we still haven't made mind about sharing the s2 domain, i.e. moving the VMID, which might need a couple of more patches to achieve.

Yes, many more patches, and don't try to do it now.. But we can copy the vmid from the s2 and place it in the viommu struct during allocation time.

Jason

On Wed, Sep 11, 2024 at 06:25:16AM +0000, Tian, Kevin wrote:

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Friday, September 6, 2024 2:22 AM

On Thu, Sep 05, 2024 at 11:00:49AM -0700, Nicolin Chen wrote:

...

On Thu, Sep 05, 2024 at 01:20:39PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:54AM -0700, Nicolin Chen wrote:

...

+static int arm_smmu_viommu_cache_invalidate(struct

iommufd_viommu *viommu,

...

...

...

•                                       struct iommu_user_data_array
  

*array)

...

...

...

+{

•   struct iommu_domain *domain =
  

iommufd_viommu_to_parent_domain(viommu);

...

...

...

•   return __arm_smmu_cache_invalidate_user(
  

•                   to_smmu_domain(domain), viommu, array);
  

I'd like to have the viommu struct directly hold the VMID. The nested parent should be sharable between multiple viommus, it doesn't make any sense that it would hold the vmid.

This is struggling because it is trying too hard to not have the driver allocate the viommu, and I think we should just go ahead and do that. Store the vmid, today copied from the nesting parent in the vmid private struct. No need for iommufd_viommu_to_parent_domain(), just rework the APIs to pass the vmid down not a domain.

OK. When I designed all this stuff, we still haven't made mind about sharing the s2 domain, i.e. moving the VMID, which might need a couple of more patches to achieve.

Yes, many more patches, and don't try to do it now.. But we can copy the vmid from the s2 and place it in the viommu struct during allocation time.

does it assume that a viommu object cannot span multiple physical IOMMUs so there is only one vmid per viommu?

I think so. One the reasons of introducing vIOMMU is to maintain the shareability across physical IOMMUs at the s2 HWPT_PAGING.

Thanks Nicolin

From: Baolu Lu baolu.lu@linux.intel.com Sent: Wednesday, September 11, 2024 3:51 PM

On 2024/9/11 15:20, Nicolin Chen wrote:

...

On Wed, Sep 11, 2024 at 06:25:16AM +0000, Tian, Kevin wrote:

...

...

From: Jason Gunthorpejgg@nvidia.com Sent: Friday, September 6, 2024 2:22 AM

On Thu, Sep 05, 2024 at 11:00:49AM -0700, Nicolin Chen wrote:

...

On Thu, Sep 05, 2024 at 01:20:39PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:54AM -0700, Nicolin Chen wrote:

> +static int arm_smmu_viommu_cache_invalidate(struct

iommufd_viommu *viommu,

...

...

> + struct iommu_user_data_array

*array)

...

...

> +{ > + struct iommu_domain *domain =

iommufd_viommu_to_parent_domain(viommu);

...

...

> + > + return __arm_smmu_cache_invalidate_user( > + to_smmu_domain(domain), viommu, array); I'd like to have the viommu struct directly hold the VMID. The nested parent should be sharable between multiple viommus, it doesn't make any sense that it would hold the vmid.

This is struggling because it is trying too hard to not have the driver allocate the viommu, and I think we should just go ahead and

do

...

...

...

...

...

that. Store the vmid, today copied from the nesting parent in the vmid private struct. No need for iommufd_viommu_to_parent_domain(),

just

...

...

...

...

...

rework the APIs to pass the vmid down not a domain.

OK. When I designed all this stuff, we still haven't made mind about sharing the s2 domain, i.e. moving the VMID, which might need a couple of more patches to achieve.

Yes, many more patches, and don't try to do it now.. But we can copy the vmid from the s2 and place it in the viommu struct during allocation time.

does it assume that a viommu object cannot span multiple physical IOMMUs so there is only one vmid per viommu?

I think so. One the reasons of introducing vIOMMU is to maintain the shareability across physical IOMMUs at the s2 HWPT_PAGING.

My understanding of VMID is something like domain id in x86 arch's. Is my understanding correct?

yes

If a VMID for an S2 hwpt is valid on physical IOMMU A but has already been allocated for another purpose on physical IOMMU B, how can it be shared across both IOMMUs? Or the VMID is allocated globally?

I'm not sure that's a problem. The point is that each vIOMMU object will get a VMID from the SMMU which it's associated to (assume one vIOMMU cannot span multiple SMMU). Whether that VMID is globally allocated or per-SMMU is the policy in the SMMU driver.

It's the driver's responsibility to ensure not using a conflicting VMID when creating an vIOMMU instance.

On Wed, Sep 11, 2024 at 08:17:23AM +0000, Tian, Kevin wrote:

...

My understanding of VMID is something like domain id in x86 arch's. Is my understanding correct?

yes

...

If a VMID for an S2 hwpt is valid on physical IOMMU A but has already been allocated for another purpose on physical IOMMU B, how can it be shared across both IOMMUs? Or the VMID is allocated globally?

I'm not sure that's a problem. The point is that each vIOMMU object will get a VMID from the SMMU which it's associated to (assume one vIOMMU cannot span multiple SMMU). Whether that VMID is globally allocated or per-SMMU is the policy in the SMMU driver.

It's the driver's responsibility to ensure not using a conflicting VMID when creating an vIOMMU instance.

It can happen to be the same VMID across all physical SMMUs, but not necessary to be the same, i.e. two SMMUs might have two VMIDs with different ID values, allocated from the their own VMID pools, since cache entries in their own TLB can be tagged with their own VMIDs.

Does domain id for intel-iommu have to be the same? I recall there is only one iommu instance on intel chips at this moment?

Thanks Nicolin

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, September 11, 2024 3:21 PM

On Wed, Sep 11, 2024 at 06:25:16AM +0000, Tian, Kevin wrote:

...

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Friday, September 6, 2024 2:22 AM

On Thu, Sep 05, 2024 at 11:00:49AM -0700, Nicolin Chen wrote:

...

On Thu, Sep 05, 2024 at 01:20:39PM -0300, Jason Gunthorpe wrote:

...

On Tue, Aug 27, 2024 at 09:59:54AM -0700, Nicolin Chen wrote:

...

+static int arm_smmu_viommu_cache_invalidate(struct

iommufd_viommu *viommu,

...

...

...

•                                       struct iommu_user_data_array
  

*array)

...

...

...

+{

•   struct iommu_domain *domain =
  

iommufd_viommu_to_parent_domain(viommu);

...

...

...

•   return __arm_smmu_cache_invalidate_user(
  

•                   to_smmu_domain(domain), viommu, array);
  

I'd like to have the viommu struct directly hold the VMID. The nested parent should be sharable between multiple viommus, it doesn't

make

...

...

...

...

any sense that it would hold the vmid.

This is struggling because it is trying too hard to not have the driver allocate the viommu, and I think we should just go ahead and

do

...

...

...

...

that. Store the vmid, today copied from the nesting parent in the vmid private struct. No need for iommufd_viommu_to_parent_domain(),

just

...

...

...

...

rework the APIs to pass the vmid down not a domain.

OK. When I designed all this stuff, we still haven't made mind about sharing the s2 domain, i.e. moving the VMID, which might need a couple of more patches to achieve.

Yes, many more patches, and don't try to do it now.. But we can copy the vmid from the s2 and place it in the viommu struct during allocation time.

does it assume that a viommu object cannot span multiple physical IOMMUs so there is only one vmid per viommu?

I think so. One the reasons of introducing vIOMMU is to maintain the shareability across physical IOMMUs at the s2 HWPT_PAGING.

I don't quite get it. e.g. for intel-iommu the S2 domain itself can be shared across physical IOMMUs then what is the problem preventing a vIOMMU object using that S2 to span multiple IOMMUs?

Probably there is a good reason e.g. for simplification or better aligned with hw accel stuff. But it's not explained clearly so far.

On Wed, Sep 11, 2024 at 08:13:01AM +0000, Tian, Kevin wrote:

Probably there is a good reason e.g. for simplification or better aligned with hw accel stuff. But it's not explained clearly so far.

Probably the most concrete thing is if you have a direct assignment invalidation queue (ie DMA'd directly by HW) then it only applies to a single pIOMMU and invalidation commands placed there are unavoidably limited in scope.

This creates a representation problem, if we have a vIOMMU that spans many pIOMMUs but invalidations do some subset how to do we model that. Just saying the vIOMMU is linked to the pIOMMU solves this nicely.

Jason

On Fri, Sep 13, 2024 at 02:33:59AM +0000, Tian, Kevin wrote:

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Thursday, September 12, 2024 7:08 AM

On Wed, Sep 11, 2024 at 08:13:01AM +0000, Tian, Kevin wrote:

...

Probably there is a good reason e.g. for simplification or better aligned with hw accel stuff. But it's not explained clearly so far.

Probably the most concrete thing is if you have a direct assignment invalidation queue (ie DMA'd directly by HW) then it only applies to a single pIOMMU and invalidation commands placed there are unavoidably limited in scope.

This creates a representation problem, if we have a vIOMMU that spans many pIOMMUs but invalidations do some subset how to do we model that. Just saying the vIOMMU is linked to the pIOMMU solves this nicely.

yes that is a good reason.

btw do we expect the VMM to try-and-fail when deciding whether a new vIOMMU object is required when creating a new vdev?

I think there was some suggestion the getinfo could return this, but also I think qemu needs to have a command line that matches physical so maybe it needs some sysfs?

Jason

On Wed, Sep 18, 2024 at 08:10:52AM +0000, Tian, Kevin wrote:

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Saturday, September 14, 2024 10:51 PM

On Fri, Sep 13, 2024 at 02:33:59AM +0000, Tian, Kevin wrote:

...

...

From: Jason Gunthorpe jgg@nvidia.com Sent: Thursday, September 12, 2024 7:08 AM

On Wed, Sep 11, 2024 at 08:13:01AM +0000, Tian, Kevin wrote:

...

Probably there is a good reason e.g. for simplification or better aligned with hw accel stuff. But it's not explained clearly so far.

Probably the most concrete thing is if you have a direct assignment invalidation queue (ie DMA'd directly by HW) then it only applies to a single pIOMMU and invalidation commands placed there are unavoidably limited in scope.

This creates a representation problem, if we have a vIOMMU that spans many pIOMMUs but invalidations do some subset how to do we model that. Just saying the vIOMMU is linked to the pIOMMU solves this nicely.

yes that is a good reason.

btw do we expect the VMM to try-and-fail when deciding whether a new vIOMMU object is required when creating a new vdev?

I think there was some suggestion the getinfo could return this, but also I think qemu needs to have a command line that matches physical so maybe it needs some sysfs?

My impression was that Qemu is moving away from directly accessing sysfs (e.g. as the reason behind allowing Libvirt to pass in an opened cdev fd to Qemu). So probably getinfo makes more sense...

Yes, but I think libvirt needs this information before it invokes qemu..

The physical and virtual iommus need to sort of match, something should figure this out automatically I would guess.

Jason

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, September 11, 2024 3:08 PM

On Wed, Sep 11, 2024 at 06:12:21AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, August 28, 2024 1:00 AM

[...]

...

On a multi-IOMMU system, the VIOMMU object can be instanced to the number of vIOMMUs in a guest VM, while holding the same parent HWPT to

share

...

...

the

Is there restriction that multiple vIOMMU objects can be only created on a multi-IOMMU system?

I think it should be generally restricted to the number of pIOMMUs, although likely (not 100% sure) we could do multiple vIOMMUs on a single-pIOMMU system. Any reason for doing that?

No idea. But if you stated so then there will be code to enforce it e.g. failing the attempt to create a vIOMMU object on a pIOMMU to which another vIOMMU object is already linked?

...

...

stage-2 IO pagetable. Each VIOMMU then just need to only allocate its

own

...

...

VMID to attach the shared stage-2 IO pagetable to the physical IOMMU:

this reads like 'VMID' is a virtual ID allocated by vIOMMU. But from the entire context it actually means the physical 'VMID' allocated on the associated physical IOMMU, correct?

Quoting Jason's narratives, a VMID is a "Security namespace for guest owned ID". The allocation, using SMMU as an example, should

the VMID alone is not a namespace. It's one ID to tag another namespace.

be a part of vIOMMU instance allocation in the host SMMU driver. Then, this VMID will be used to mark the cache tags. So, it is still a software allocated ID, while HW would use it too.

VMIDs are physical resource belonging to the host SMMU driver.

but I got your original point that it's each vIOMMU gets an unique VMID from the host SMMU driver, not exactly that each vIOMMU maintains its own VMID namespace. that'd be a different concept.

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, September 11, 2024 3:41 PM

On Wed, Sep 11, 2024 at 07:18:10AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, September 11, 2024 3:08 PM

On Wed, Sep 11, 2024 at 06:12:21AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, August 28, 2024 1:00 AM

stage-2 IO pagetable. Each VIOMMU then just need to only allocate its

own

...

...

VMID to attach the shared stage-2 IO pagetable to the physical IOMMU:

this reads like 'VMID' is a virtual ID allocated by vIOMMU. But from the entire context it actually means the physical 'VMID' allocated on the associated physical IOMMU, correct?

Quoting Jason's narratives, a VMID is a "Security namespace for guest owned ID". The allocation, using SMMU as an example, should

the VMID alone is not a namespace. It's one ID to tag another namespace.

...

be a part of vIOMMU instance allocation in the host SMMU driver. Then, this VMID will be used to mark the cache tags. So, it is still a software allocated ID, while HW would use it too.

VMIDs are physical resource belonging to the host SMMU driver.

Yes. Just the lifecycle of a VMID is controlled by a vIOMMU, i.e. the guest.

...

but I got your original point that it's each vIOMMU gets an unique VMID from the host SMMU driver, not exactly that each vIOMMU maintains its own VMID namespace. that'd be a different concept.

What's a VMID namespace actually? Please educate me :)

I meant the 16bit VMID pool under each SMMU.

On 11/9/24 17:08, Nicolin Chen wrote:

On Wed, Sep 11, 2024 at 06:12:21AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, August 28, 2024 1:00 AM

[...]

...

On a multi-IOMMU system, the VIOMMU object can be instanced to the number of vIOMMUs in a guest VM, while holding the same parent HWPT to share the

Is there restriction that multiple vIOMMU objects can be only created on a multi-IOMMU system?

I think it should be generally restricted to the number of pIOMMUs, although likely (not 100% sure) we could do multiple vIOMMUs on a single-pIOMMU system. Any reason for doing that?

Just to clarify the terminology here - what are pIOMMU and vIOMMU exactly?

On AMD, IOMMU is a pretend-pcie device, one per a rootport, manages a DT - device table, one entry per BDFn, the entry owns a queue. A slice of that can be passed to a VM (== queues mapped directly to the VM, and such IOMMU appears in the VM as a pretend-pcie device too). So what is [pv]IOMMU here? Thanks,

...

...

stage-2 IO pagetable. Each VIOMMU then just need to only allocate its own VMID to attach the shared stage-2 IO pagetable to the physical IOMMU:

this reads like 'VMID' is a virtual ID allocated by vIOMMU. But from the entire context it actually means the physical 'VMID' allocated on the associated physical IOMMU, correct?

Quoting Jason's narratives, a VMID is a "Security namespace for guest owned ID". The allocation, using SMMU as an example, should be a part of vIOMMU instance allocation in the host SMMU driver. Then, this VMID will be used to mark the cache tags. So, it is still a software allocated ID, while HW would use it too.

Thanks Nicolin

On 1/10/24 13:36, Nicolin Chen wrote:

On Tue, Oct 01, 2024 at 11:55:59AM +1000, Alexey Kardashevskiy wrote:

...

On 11/9/24 17:08, Nicolin Chen wrote:

...

On Wed, Sep 11, 2024 at 06:12:21AM +0000, Tian, Kevin wrote:

...

...

From: Nicolin Chen nicolinc@nvidia.com Sent: Wednesday, August 28, 2024 1:00 AM

[...]

...

On a multi-IOMMU system, the VIOMMU object can be instanced to the number of vIOMMUs in a guest VM, while holding the same parent HWPT to share the

Is there restriction that multiple vIOMMU objects can be only created on a multi-IOMMU system?

I think it should be generally restricted to the number of pIOMMUs, although likely (not 100% sure) we could do multiple vIOMMUs on a single-pIOMMU system. Any reason for doing that?

Just to clarify the terminology here - what are pIOMMU and vIOMMU exactly?

On AMD, IOMMU is a pretend-pcie device, one per a rootport, manages a DT

• device table, one entry per BDFn, the entry owns a queue. A slice of

that can be passed to a VM (== queues mapped directly to the VM, and such IOMMU appears in the VM as a pretend-pcie device too). So what is [pv]IOMMU here? Thanks,

The "p" stands for physical: the entire IOMMU unit/instance. In the IOMMU subsystem terminology, it's a struct iommu_device. It sounds like AMD would register one iommu device per rootport?

Yup, my test machine has 4 of these.

The "v" stands for virtual: a slice of the pIOMMU that could be shared or passed through to a VM:

• Intel IOMMU doesn't have passthrough queues, so it uses a shared queue (for invalidation). In this case, vIOMMU will be a pure SW structure for HW queue sharing (with the host machine and other VMs). That said, I think the channel (or the port) that Intel VT-d uses internally for a device to do a two-stage translation can be seen as a "passthrough" feature, held by a vIOMMU.
• AMD IOMMU can assign passthrough queues to VMs, in which case, vIOMMU will be a structure holding all passthrough resource (of the pIOMMU) assisgned to a VM. If there is a shared resource, it can be packed into the vIOMMU struct too. FYI, vQUEUE (future series) on the other hand will represent each passthrough queue in a vIOMMU struct. The VM then, per that specific pIOMMU (rootport?), will have one vIOMMU holding a number of vQUEUEs.
• ARM SMMU is sort of in the middle, depending on the impls. vIOMMU will be a structure holding both passthrough and shared resource. It can define vQUEUEs, if the impl has passthrough queues like AMD does.

Allowing a vIOMMU to hold shared resource makes it a bit of an upgraded model for IOMMU virtualization, from the existing HWPT model that now looks like a subset of the vIOMMU model.

Thanks for confirming.

I've just read in this thread that "it should be generally restricted to the number of pIOMMUs, although likely (not 100% sure) we could do multiple vIOMMUs on a single-pIOMMU system. Any reason for doing that?"? thought "we have every reason to do that, unless p means something different", so I decided to ask :) Thanks,

Thanks Nicolin