vtd: Add 'force_iommu' option

For security reasons, add 'force_iommu' option to ensure that it
should not be possible under any conditions to boot Xen w/o VT-d being
enabled. This would only be specified by users that really want the
added security.

Signed-off-by: Weidong Han <weidong.han@intel.com>

3 files changed, 29 insertions, 3 deletions

diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c
index 0a3fc48da9..a522b80221 100644
--- a/xen/drivers/passthrough/iommu.c
+++ b/xen/drivers/passthrough/iommu.c
@@ -30,6 +30,9 @@ boolean_param("iommu", iommu_enabled);
 int iommu_pv_enabled = 0;
 boolean_param("iommu_pv", iommu_pv_enabled);
 
+int force_iommu = 0;
+boolean_param("force_iommu", force_iommu);
+
 int iommu_domain_init(struct domain *domain)
 {
     struct hvm_iommu *hd = domain_hvm_iommu(domain);
@@ -215,6 +218,9 @@ static int iommu_setup(void)
     iommu_enabled = (rc == 0);
 
  out:
+    if ( force_iommu && !iommu_enabled )
+        panic("IOMMU setup failed, crash Xen for security purpose!\n");
+
     if ( !iommu_enabled )
         iommu_pv_enabled = 0;
     printk("I/O virtualisation %sabled\n", iommu_enabled ? "en" : "dis");
diff --git a/xen/drivers/passthrough/vtd/dmar.c b/xen/drivers/passthrough/vtd/dmar.c
index 5be3246e71..43107b3ae3 100644
--- a/xen/drivers/passthrough/vtd/dmar.c
+++ b/xen/drivers/passthrough/vtd/dmar.c
@@ -427,6 +427,9 @@ static int __init acpi_parse_dmar(struct acpi_table_header *table)
     if ( !dmar->width )
     {
         dprintk(XENLOG_WARNING VTDPREFIX, "Zero: Invalid DMAR width\n");
+        if ( force_iommu )
+            panic("acpi_parse_dmar: Invalid DMAR width,"
+                  " crash Xen for security purpose!\n");
         return -EINVAL;
     }
 
@@ -468,8 +471,15 @@ static int __init acpi_parse_dmar(struct acpi_table_header *table)
 
     if ( ret )
     {
-        printk(XENLOG_WARNING "Failed to parse ACPI DMAR.  Disabling VT-d.\n");
-        disable_all_dmar_units();
+        if ( force_iommu )
+            panic("acpi_parse_dmar: Failed to parse ACPI DMAR,"
+                  " crash Xen for security purpose!\n");
+        else
+        {
+            printk(XENLOG_WARNING
+                   "Failed to parse ACPI DMAR.  Disabling VT-d.\n");
+            disable_all_dmar_units();
+        }
     }
 
     return ret;
@@ -480,10 +490,15 @@ int acpi_dmar_init(void)
     int rc;
 
     rc = -ENODEV;
+    if ( force_iommu )
+        iommu_enabled = 1;
+
     if ( !iommu_enabled )
         goto fail;
 
-    acpi_table_parse(ACPI_SIG_DMAR, acpi_parse_dmar);
+    rc = acpi_table_parse(ACPI_SIG_DMAR, acpi_parse_dmar);
+    if ( rc )
+        goto fail;
 
     rc = -ENODEV;
     if ( list_empty(&acpi_drhd_units) )
@@ -494,6 +509,10 @@ int acpi_dmar_init(void)
     return 0;
 
  fail:
+    if ( force_iommu )
+        panic("acpi_dmar_init: acpi_dmar_init failed,"
+              " crash Xen for security purpose!\n");
+
     vtd_enabled = 0;
     return -ENODEV;
 }
diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h
index 20ba06062c..71204d56de 100644
--- a/xen/include/xen/iommu.h
+++ b/xen/include/xen/iommu.h
@@ -30,6 +30,7 @@
 extern int vtd_enabled;
 extern int iommu_enabled;
 extern int iommu_pv_enabled;
+extern int force_iommu;
 
 #define domain_hvm_iommu(d)     (&d->arch.hvm_domain.hvm_iommu)
 #define domain_vmx_iommu(d)     (&d->arch.hvm_domain.hvm_iommu.vmx_iommu)