lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 1 Oct 2019 09:38:52 -0600
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Shawn Anastasio <shawn@...stas.io>
Cc:     kvm@...r.kernel.org, cohuck@...hat.com,
        linux-kernel@...r.kernel.org, Donald Dutile <ddutile@...hat.com>
Subject: Re: [PATCH RFC 0/1] VFIO: Region-specific file descriptors

On Mon, 30 Sep 2019 18:55:32 -0500
Shawn Anastasio <shawn@...stas.io> wrote:

> This patch adds region file descriptors to VFIO, a simple file descriptor type
> that allows read/write/mmap operations on a single region of a VFIO device.
> 
> This feature is particularly useful for privileged applications that use VFIO
> and wish to share file descriptors with unprivileged applications without
> handing over full control of the device.

Such as?  How do we defined "privileged"?  VFIO already allows
"unprivileged applications" to own a device, only file permissions are
necessary for the VFIO group.  Does region level granularity really
allow us to claim that the consumer of this fd doesn't have full
control of the device?  Clearly device ioctls, including interrupts,
and DMA mappings are not granted with only access to a region, but said
unprivileged application may have absolute full control of the device
itself via that region.

> It also allows applications to use
> regular offsets in read/write/mmap instead of the region index + offset that
> must be used with device file descriptors.

How is this actually an issue that needs a solution?

> The current implementation is very raw (PCI only, no reference counting which
> is probably wrong), but I wanted to get a sense to see if this feature is
> desired. If it is, tips on how to implement this more correctly are
> appreciated.

Handling the ownership and life cycle of the region fds is the more
complicated problem.  If an unprivileged user has an mmap to a device
owned by a privileged user, how does it get revoked by the privileged
part of this equation?  How do we decide which regions merit this
support, for instance a device specific region could have just as
viable a use case as a BAR.  Why does this code limit support to
regions supporting mmap but then support read/write as well?

Technically, isn't the extent of functionality provided in this RFC
already available via the PCI resource files in sysfs?

Without a concrete use case, this looks like a solution in search of a
problem.  Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ