[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200724083417.GA3913@silpixa00400314>
Date: Fri, 24 Jul 2020 09:34:17 +0100
From: Giovanni Cabiddu <giovanni.cabiddu@...el.com>
To: Alex Williamson <alex.williamson@...hat.com>
Cc: herbert@...dor.apana.org.au, cohuck@...hat.com, nhorman@...hat.com,
vdronov@...hat.com, bhelgaas@...gle.com, mark.a.chambers@...el.com,
gordon.mcfadden@...el.com, ahsan.atta@...el.com,
fiona.trahe@...el.com, qat-linux@...el.com, kvm@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-pci@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/5] vfio/pci: Add device denylist
On Thu, Jul 23, 2020 at 04:41:26PM -0600, Alex Williamson wrote:
> On Thu, 23 Jul 2020 22:47:02 +0100
> Giovanni Cabiddu <giovanni.cabiddu@...el.com> wrote:
>
> > Add denylist of devices that by default are not probed by vfio-pci.
> > Devices in this list may be susceptible to untrusted application, even
> > if the IOMMU is enabled. To be accessed via vfio-pci, the user has to
> > explicitly disable the denylist.
> >
> > The denylist can be disabled via the module parameter disable_denylist.
> >
> > Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@...el.com>
> > ---
> > drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++++++++++++++
> > 1 file changed, 33 insertions(+)
> >
> > diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
> > index 7c0779018b1b..673f53c4798e 100644
> > --- a/drivers/vfio/pci/vfio_pci.c
> > +++ b/drivers/vfio/pci/vfio_pci.c
> > @@ -60,6 +60,10 @@ module_param(enable_sriov, bool, 0644);
> > MODULE_PARM_DESC(enable_sriov, "Enable support for SR-IOV configuration. Enabling SR-IOV on a PF typically requires support of the userspace PF driver, enabling VFs without such support may result in non-functional VFs or PF.");
> > #endif
> >
> > +static bool disable_denylist;
> > +module_param(disable_denylist, bool, 0444);
> > +MODULE_PARM_DESC(disable_denylist, "Disable use of device denylist. Disabling the denylist prevents binding to devices with known errata that may lead to exploitable stability or security issues when accessed by untrusted users.");
>
> s/prevents/allows/
>
> ie. the denylist prevents binding, therefore disabling the denylist
> allows binding
>
> I can fix this on commit without a new version if you agree. I also
> see that patch 1/5 didn't change since v2, so I'll transfer Bjorn's
> ack. If that sounds good I'll queue the first 3 patches in my next
> branch for v5.9. Thanks,
My bad, apologies! I'm ok also to re-spin adding Bjorn's ack and the fix
above.
Regards,
--
Giovanni
Powered by blists - more mailing lists