From 78f7dab60a8fb06897ef4911ffe3a7b76cf25eb4 Mon Sep 17 00:00:00 2001 From: Stefano Stabellini Date: Mon, 11 May 2020 15:58:59 -0700 Subject: [PATCH] xen/docs: add a document to explain how to do passthrough without IOMMU Make sure to start with a WARNING about security. Signed-off-by: Stefano Stabellini --- docs/misc/arm/passthrough-noiommu.txt | 37 +++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 docs/misc/arm/passthrough-noiommu.txt diff --git a/docs/misc/arm/passthrough-noiommu.txt b/docs/misc/arm/passthrough-noiommu.txt new file mode 100644 index 0000000000..f3be973874 --- /dev/null +++ b/docs/misc/arm/passthrough-noiommu.txt @@ -0,0 +1,37 @@ +Request Device Assignment without IOMMU support +=============================================== + +WARNING: it is not secure to assign a device without IOMMU protection. A +domU can program the device to do DMA on its behalf, gaining access to +the whole system. Another security measure should be employed, such as +programming a MPU. + + +This document assumes that the IOMMU is absent from the system or it is +disabled (status = "disabled" in device tree). + + +Add xen,force-assign-without-iommu; to the device tree snippet + + ethernet: ethernet@ff0e0000 { + compatible = "cdns,zynqmp-gem"; + xen,path = "/amba/ethernet@ff0e0000"; + xen,reg = <0x0 0xff0e0000 0x1000 0x0 0xff0e0000>; + xen,force-assign-without-iommu; + + +Request 1:1 memory mapping for the dom0-less domain +=================================================== + +Add a direct-map property under the appropriate /chosen/domU node with +the memory ranges you want to assign to your domain. If you are using +imagebuilder, you can add to boot.source something like the following: + + fdt set /chosen/domU0 direct-map <0x0 0x10000000 0x0 0x10000000 0x0 0x60000000 0x0 0x10000000> + +Which will assign the ranges: + + 0x10000000 - 0x20000000 + 0x60000000 - 0x70000000 + +to the first dom0less domU. -- 2.39.5