[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 02/23] xen/arm: smmuv3: Add support for stage-1 and nested stage translation

  • To: Julien Grall <julien@xxxxxxx>
  • From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>
  • Date: Thu, 11 Jun 2026 06:12:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=xen.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gXDvUv2PMe5nnuUKGR/91V45d4NDhbyAmB81s5ANGak=; b=yFBMsRHpeL4vK4rNMhxkOWzH4Nxme+TNOh34JffDYXAx5RQv8AFp7XNKnOlGf+/kkHR2iTic9FK7gv2Rbv5SMoeTx2IFWMgYJIb8NI4S7yHvkUVoTlpfDw4bZCY03xES/7oUVzXJk/V7f9D/B82uPktMt+2S9dPaS2HcAhEQI8X5Q4UZ5XUF/Bu81D3OxIXKEJf97d89tmctuZ5GPONs5ZIEZA8zdEw6GGOy6cJxNrjx00HOjQ+NBBfENlKVbEiGEcexEPb+2FD+xEWDfDyRrUJJi6RfKqSMsV3HZDf8YxvsTCGqPQIc/imT35xnX7xPzM7fgatnVhrqfkr2gqNCag==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gXDvUv2PMe5nnuUKGR/91V45d4NDhbyAmB81s5ANGak=; b=w2ylOklPoUbjnJsaO9yNE88ApDgQbN/eyR8NuHT8SRwh07mSprMqKrT34s6sMzO9H4PogCp2yBzDJu4HZhgcA1JxhL2A35OeF9iuesXq+AMeWFyaYhUf+KUJA5yj+Lebm32dK999uj9xox+xO9+WZAixSJomYxg+saCsEAqLc7BbboqX5sN9d2S2q5OyA15RzyC5B486qb1zccccHfmF0AKBLK/hUBbBc1qxtVOuQEDujvgU755vvNhD+AmYqzyFezcqcF+z377rIgmQdr5HFlbP2ESLp3uxNOMNxLdAmRJ4zz4BoDYjKazRQahdqncfUZjxeOgMWAHvKMVlH7fhJg==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=wygmKx3i4vUBnpRvR55C9cFKR+hap7Bv/I28sR6pv28nPTnm95OWQsegr66qEgpHJIT9Mi7e2Gn27ORxv83nJ7e+Ei6oJspr38ur/Cls31J6J1zlSNPHjQzzLEjoSlg414ul7J47WoeIGet2gaxqd1SRD1A3PgM9+E91dHcR8iBbN8p2bzqMUNqPcY1jYUgyrjA8/MsDcvZ3xlFoc1a70JwyxpePuPwGqCmF+WSFQk+PD62d9MbfuM3HICbSBc0qeQJas3AXevk4ul9ZFHqA52c2aE7HmL2i39jkA1/p56JOxTUGbRdfDxpWraeRaJ9SALm9G/wiiucJdSRAr0YUyw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=JL8q4bc5Q5aOtylVkdr5stzhufIbc1ds5AAsV+EXFD2EMVm4c+LCPBJICOkZii7beBQ90p5/3Av+uSxF8VtaebbzlWdr+V7EMzyNC+lYujzDF4FWUNwI/83vRGrIOAM/gtt1J4j+ZKjdydeEZrB9f36MTwme37CL4YOG4LwLF0nsHoYPX2qeGnzLIK/m9nPm4RzcJkfiOyn708af+diuv9h2Wneqswj1cq8Vw3+HgplWVnyVFYzIZe9gcECn2AGcGBH1pt000zmpHN+jhPaT7YV823SRqsLQ0PSB7rhCC/i5QrfvvH8CBCDWkvdN4HeLyVlpj8JcehyJNXQpwm/CFA==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: Milan Djokic <milan_djokic@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Rahul Singh <Rahul.Singh@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Thu, 11 Jun 2026 06:14:23 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Thread-index: AQHcuxeUeXMMAhMgNk65vf8IyW5YQ7Xd846AgAjb84CAApA2gIALGl0AgCjouoCAF3h0gIADmeAAgADnRAA=
  • Thread-topic: [PATCH v2 02/23] xen/arm: smmuv3: Add support for stage-1 and nested stage translation
Hi,

> On 10 Jun 2026, at 18:24, Julien Grall <julien@xxxxxxx> wrote:
> 
> 
> 
> On 08/06/2026 10:25, Milan Djokic wrote:
>> Hi Julien,
> 
> Hi Milan,
>> On 5/24/26 13:00, Julien Grall wrote:
>>> Hi Milan,
>>> 
>>> On 28/04/2026 11:16, Milan Djokic wrote:
>>>>>> The original idea was to also allow stage-1-only support. But I'm not
>>>>>> sure if stage-1-only usecase is useful or even valid for Xen.. I will
>>>>>> update the patch series with the missing parts for stage-1-only support,
>>>>>> pointed out by Luca, but the question remains if this is needed at all.
>>>>>> If not, I can revert to original state where stage-2 was always
>>>>>> required.
>>>>> 
>>>>> By "stage-1 only" support, do you mean Xen would use the stage-1 in
>>>>> replacement of the stage-2? Or do you mean the guest will use the
>>>>> stage-1 page-table and there will be no isolation from Xen?
>>>>> 
>>>>> If the former, then I believe the page tables don't have the exact same
>>>>> format. Today, the page-tables are shared between the CPU and IOMMU, so
>>>>> this would need to be duplicated. For now, I am not sure this is worth
>>>>> to do.
>>>>> 
>>>>> If the latter, this would require the guest to be directly mapped (i.e.
>>>>> IPA == PA) but it would also open a big hole. So I would want to
>>>>> understand the exact use case first.
>>>>> 
>>>> 
>>>> The latter. In this case, the guest would configure stage-1 while
>>>> stage-2 translation is not used, so there is no additional isolation
>>>> enforced by Xen. This would only be intended for specific usecases with
>>>> trusted domains. But yes, this opens a significant hole if used with
>>>> untrusted guests. If there is no strong usecase, we could restrict the
>>>> implementation to always require stage-2.
>>> 
>>> It is still unclear what would be the exact use-case. Is it a system
>>> where the SMMU doesn't support stage-2? Performance reason?
>>> 
>> This primarily targets systems where the SMMU does not support Stage-2 
>> translation.
>> If we decide to keep this code, I will address the associated security 
>> considerations and document the corresponding AoU in the design. Otherwise, 
>> we can fall back to supporting only the "nested" translation case.
> 
> Thanks for the feedback. I think for such setup, I would consider whether we 
> can use the stage-1 in Xen to protect the device. AFAIK, this what Linux will 
> do.
> 
> I would be interested to hear what the other maintainers think.

Giving access to the smmu to a guest means giving it a solution to access 
whatever he wants through a DMA engine.
This is not less secure than no SMMU at all but I would definitely think that 
in such a case SMMU should be reserved for
Xen to use it to protect from accessing other guests memory using DMA.

Now i know that in some setups there are cases where a specific device cannot 
be used without an SMMU (mostly GPUs
but there might be others). In that case, the device cannot be used easily if 
the kernel cannot use the SMMU to remap the
memory at a convenient place for the device.

We should not disallow such cases completely but we should give strong 
recommandations when such a setup is used.

Cheers
Bertrand

> 
> Cheers,
> 
> -- 
> Julien Grall

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.