KVM: IOMMU: Disable device assignment without interrupt remapping
Alex Williamson [Thu, 14 Jul 2011 19:27:03 +0000 (13:27 -0600)]
IOMMU interrupt remapping support provides a further layer of
isolation for device assignment by preventing arbitrary interrupt
block DMA writes by a malicious guest from reaching the host.  By
default, we should require that the platform provides interrupt
remapping support, with an opt-in mechanism for existing behavior.

Both AMD IOMMU and Intel VT-d2 hardware support interrupt
remapping, however we currently only have software support on
the Intel side.  Users wishing to re-enable device assignment
when interrupt remapping is not supported on the platform can
use the "allow_unsafe_assigned_interrupts=1" module option.

[avi: break long lines]

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

virt/kvm/iommu.c

index 62a9caf..78c80f6 100644 (file)
 #include <linux/iommu.h>
 #include <linux/intel-iommu.h>
 
+static int allow_unsafe_assigned_interrupts;
+module_param_named(allow_unsafe_assigned_interrupts,
+                  allow_unsafe_assigned_interrupts, bool, S_IRUGO | S_IWUSR);
+MODULE_PARM_DESC(allow_unsafe_assigned_interrupts,
+ "Enable device assignment on platforms without interrupt remapping support.");
+
 static int kvm_iommu_unmap_memslots(struct kvm *kvm);
 static void kvm_iommu_put_pages(struct kvm *kvm,
                                gfn_t base_gfn, unsigned long npages);
@@ -231,6 +237,18 @@ int kvm_iommu_map_guest(struct kvm *kvm)
        if (!kvm->arch.iommu_domain)
                return -ENOMEM;
 
+       if (!allow_unsafe_assigned_interrupts &&
+           !iommu_domain_has_cap(kvm->arch.iommu_domain,
+                                 IOMMU_CAP_INTR_REMAP)) {
+               printk(KERN_WARNING "%s: No interrupt remapping support,"
+                      " disallowing device assignment."
+                      " Re-enble with \"allow_unsafe_assigned_interrupts=1\""
+                      " module option.\n", __func__);
+               iommu_domain_free(kvm->arch.iommu_domain);
+               kvm->arch.iommu_domain = NULL;
+               return -EPERM;
+       }
+
        r = kvm_iommu_map_memslots(kvm);
        if (r)
                goto out_unmap;