x86: Use safer pattern with AMD IOMMU to block DMA requests

The AMD IOMMU spec is not 100% clear if a device table entry with V=1
but TV=0 implies that DMA requests from that device are blocked. Play
safe and use the pattern that Linux uses as well: TV=1, Mode=0 and IW as
well as IR cleared.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

diff --git a/hypervisor/arch/x86/amd_iommu.c b/hypervisor/arch/x86/amd_iommu.c
index 87d6293da1ed5df7d8549221de811c9ee90e9c1c..65662a2d5a6afe6137d748d0a539a2660a396fe6 100644 (file)
--- a/hypervisor/arch/x86/amd_iommu.c
+++ b/hypervisor/arch/x86/amd_iommu.c
@@ -559,10 +559,10 @@ void iommu_remove_pci_device(struct pci_device *device)
                return;
 
        /*
-        * Clear DTE_TRANSLATION_VALID, but keep the entry valid
-        * to block any DMA requests.
+        * Set Mode to 0 (translation disabled) and clear IR and IW to block
+        * DMA requests until the entry is reprogrammed for its new owner.
         */
-       dte->raw64[0] = DTE_VALID;
+       dte->raw64[0] = DTE_VALID | DTE_TRANSLATION_VALID;
 
        /* Flush caches, just to be sure. */
        arch_paging_flush_cpu_caches(dte, sizeof(*dte));