| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Feb 2020 07:57:29 +0000
From: "Liu, Yi L" <yi.l.liu@...el.com>
To: Alex Williamson <alex.williamson@...hat.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>
CC: "linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"dev@...k.org" <dev@...k.org>,
"mtosatti@...hat.com" <mtosatti@...hat.com>,
"thomas@...jalon.net" <thomas@...jalon.net>,
"bluca@...ian.org" <bluca@...ian.org>,
"jerinjacobk@...il.com" <jerinjacobk@...il.com>,
"Richardson, Bruce" <bruce.richardson@...el.com>,
"cohuck@...hat.com" <cohuck@...hat.com>
Subject: RE: [RFC PATCH 3/7] vfio/pci: Introduce VF token
> From: Alex Williamson <alex.williamson@...hat.com>
> Sent: Wednesday, February 5, 2020 7:06 AM
> To: kvm@...r.kernel.org
> Subject: [RFC PATCH 3/7] vfio/pci: Introduce VF token
>
> If we enable SR-IOV on a vfio-pci owned PF, the resulting VFs are not
> fully isolated from the PF. The PF can always cause a denial of
> service to the VF, if not access data passed through the VF directly.
> This is why vfio-pci currently does not bind to PFs with SR-IOV enabled
> and does not provide access itself to enabling SR-IOV on a PF. The
> IOMMU grouping mechanism might allow us a solution to this lack of
> isolation, however the deficiency isn't actually in the DMA path, so
> much as the potential cooperation between PF and VF devices. Also,
> if we were to force VFs into the same IOMMU group as the PF, we severely
> limit the utility of having independent drivers managing PFs and VFs
> with vfio.
>
> Therefore we introduce the concept of a VF token. The token is
> implemented as a UUID and represents a shared secret which must be set
> by the PF driver and used by the VF drivers in order to access a vfio
> device file descriptor for the VF. The ioctl to set the VF token will
> be provided in a later commit, this commit implements the underlying
> infrastructure. The concept here is to augment the string the user
> passes to match a device within a group in order to retrieve access to
> the device descriptor. For example, rather than passing only the PCI
> device name (ex. "0000:03:00.0") the user would also pass a vf_token
> UUID (ex. "2ab74924-c335-45f4-9b16-8569e5b08258"). The device match
> string therefore becomes:
>
> "0000:03:00.0 vf_token=2ab74924-c335-45f4-9b16-8569e5b08258"
>
> This syntax is expected to be extensible to future options as well, with
> the standard being:
>
> "$DEVICE_NAME $OPTION1=$VALUE1 $OPTION2=$VALUE2"
>
> The device name must be first and option=value pairs are separated by
> spaces.
>
> The vf_token option is only required for VFs where the PF device is
> bound to vfio-pci. There is no change for PFs using existing host
> drivers.
>
> Note that in order to protect existing VF users, not only is it required
> to set a vf_token on the PF before VFs devices can be accessed, but also
> if there are existing VF users, (re)opening the PF device must also
> provide the current vf_token as authentication. This is intended to
> prevent a VF driver starting with a trusted PF driver and later being
> replaced by an unknown driver. A vf_token is not required to open the
> PF device when none of the VF devices are in use by vfio-pci drivers.
So vfio_token is a kind of per-PF token?
Regards,
Yi Liu
Powered by blists - more mailing lists