> From: [email protected] [mailto:[email protected]] > Sent: Friday, November 23, 2018 7:21 PM > > On Wed, Nov 21, 2018 at 12:40:44PM +0800, Lu Baolu wrote: > > Can you please elaborate a bit more about the concept of subdomains? > > From my point of view, an aux-domain is a normal un-managed domain > which > > has a PASID and could be attached to any ADIs through the aux-domain > > specific attach/detach APIs. It could also be attached to a device with > > the existing domain_attach/detach_device() APIs at the same time, hence > > mdev and pci devices in a vfio container could share a domain. > > Okay, let's think a bit about having aux-specific attach/detach > functions, in the end I don't insist on my proposal as long as the > IOMMU-API extensions are clean, consistent, and have well defined > semantics. > > If we have aux-domain specific attach/detach functions like > iommu_aux_domain_attach/detach(), what happens when the primary > domain > of the device is changed with iommu_attach/detach()? > > 1) Will the aux-domains stay in place? If yes, how does this > work in setups where the pasid-bound page-tables are > guest-owned and translated through the primary domain > page-tables? > > 2) Will the aux-domains be unbound too? In that case, if the > primary domain is re-used, will the aux-domains be implicitly > bound too when iommu_device_attach() is called? > > 3) Do we just disallow changing the primary domain through that > interface as long as there are aux-domains or mm_structs > bound to the device?
3) sounds like a right option. IMO Primary domain represents the primary ownership of DMA capability of the whole device. The owner (say host driver) may lend partial capability (e.g. allocating some queues) to a sub-owner (through aux-domain to a VM or mm_struct to a process), when ownership is still claimed by this owner. Primary domain switch means ownership change (e.g. from host driver to guest driver if type is changed from DMA-API to UNMANAGED), which usually implies driver load/unload thus all resource usages from previous owner must be cleaned up before actual switch happens, which include things allocated from DMA-API, aux domain API, and SVA APIs. > > Using option 2) or 3) would mean that the aux-domains are still bound to > the primary domain, but that is not reflected in the API. Further, if an Do you suggest some reflection in API interface definition, or specific API implementation? If the former I didn't get how to do it. If the latter, yes it's missed in current RFC. We should add check in necessary code path. > aux-domain is just a normal domain (struct iommu_domain), what > happens > when a domain that was used as a primary domain and has bound > aux-domains to it, is bound with iommu_aux_domain_attach() to another > domain? aux domain is essentially a way to lend partial DMA capability to less- privileged entity (process or VM), which implies that part of DMA unmanaged by kernel driver. If we can make such assumption that aux only applies to UNMANAGED domain (thus disallow BLOCKED/IDENTITY/ DMA from using aux), then above open doesn't exist, because if primary domain is UNMANAGED type it essentially means the whole device fully owned by user space or guest thus no host driver entity to ever create aux domain. If primary domain is not UNMANAGED type, it will fail in aux API. with this design, each device will have at most one primary and multiple aux, i.e. just two layers. no aux-bind-to-aux thing. this assumption should be true in discussed usages around aux domain. but I may overlook something... Jean? > > As you can see, this design decission raises a lot of questions, but > maybe we can work it out and find a solution we all agree on. > Thanks for raising those good opens! Thanks Kevin _______________________________________________ iommu mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/iommu
