[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210609184940.GH1002214@nvidia.com>
Date: Wed, 9 Jun 2021 15:49:40 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Alex Williamson <alex.williamson@...hat.com>
Cc: Joerg Roedel <joro@...tes.org>,
"Tian, Kevin" <kevin.tian@...el.com>,
Jean-Philippe Brucker <jean-philippe@...aro.org>,
David Gibson <david@...son.dropbear.id.au>,
Jason Wang <jasowang@...hat.com>,
"parav@...lanox.com" <parav@...lanox.com>,
"Enrico Weigelt, metux IT consult" <lkml@...ux.net>,
Paolo Bonzini <pbonzini@...hat.com>,
Shenming Lu <lushenming@...wei.com>,
Eric Auger <eric.auger@...hat.com>,
Jonathan Corbet <corbet@....net>,
"Raj, Ashok" <ashok.raj@...el.com>,
"Liu, Yi L" <yi.l.liu@...el.com>, "Wu, Hao" <hao.wu@...el.com>,
"Jiang, Dave" <dave.jiang@...el.com>,
Jacob Pan <jacob.jun.pan@...ux.intel.com>,
Kirti Wankhede <kwankhede@...dia.com>,
Robin Murphy <robin.murphy@....com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"iommu@...ts.linux-foundation.org" <iommu@...ts.linux-foundation.org>,
David Woodhouse <dwmw2@...radead.org>,
LKML <linux-kernel@...r.kernel.org>,
Lu Baolu <baolu.lu@...ux.intel.com>
Subject: Re: Plan for /dev/ioasid RFC v2
On Wed, Jun 09, 2021 at 10:27:22AM -0600, Alex Williamson wrote:
> > > It is a kernel decision, because a fundamental task of the kernel is to
> > > ensure isolation between user-space tasks as good as it can. And if a
> > > device assigned to one task can interfer with a device of another task
> > > (e.g. by sending P2P messages), then the promise of isolation is broken.
> >
> > AIUI, the IOASID model will still enforce IOMMU groups, but it's not an
> > explicit part of the interface like it is for vfio. For example the
> > IOASID model allows attaching individual devices such that we have
> > granularity to create per device IOASIDs, but all devices within an
> > IOMMU group are required to be attached to an IOASID before they can be
> > used.
Yes, thanks Alex
> > It's not entirely clear to me yet how that last bit gets
> > implemented though, ie. what barrier is in place to prevent device
> > usage prior to reaching this viable state.
The major security checkpoint for the group is on the VFIO side. We
must require the group before userspace can be allowed access to any
device registers. Obtaining the device_fd from the group_fd does this
today as the group_fd is the security proof.
Actually, thinking about this some more.. If the only way to get a
working device_fd in the first place is to get it from the group_fd
and thus pass a group-based security check, why do we need to do
anything at the ioasid level?
The security concept of isolation was satisfied as soon as userspace
opened the group_fd. What do more checks in the kernel accomplish?
Yes, we have the issue where some groups require all devices to use
the same IOASID, but once someone has the group_fd that is no longer a
security issue. We can fail VFIO_DEVICE_ATTACH_IOASID callss that
don't make sense.
> > > > Groups should be primarily about isolation security, not about IOASID
> > > > matching.
> > >
> > > That doesn't make any sense, what do you mean by 'IOASID matching'?
> >
> > One of the problems with the vfio interface use of groups is that we
> > conflate the IOMMU group for both isolation and granularity. I think
> > what Jason is referring to here is that we still want groups to be the
> > basis of isolation, but we don't want a uAPI that presumes all devices
> > within the group must use the same IOASID.
Yes, thanks again Alex
> > For example, if a user owns an IOMMU group consisting of
> > non-isolated functions of a multi-function device, they should be
> > able to create a vIOMMU VM where each of those functions has its
> > own address space. That can't be done today, the entire group
> > would need to be attached to the VM under a PCIe-to-PCI bridge to
> > reflect the address space limitation imposed by the vfio group
> > uAPI model. Thanks,
>
> Hmm, likely discussed previously in these threads, but I can't come up
> with the argument that prevents us from making the BIND interface
> at the group level but the ATTACH interface at the device level? For
> example:
>
> - VFIO_GROUP_BIND_IOASID_FD
> - VFIO_DEVICE_ATTACH_IOASID
>
> AFAICT that makes the group ownership more explicit but still allows
> the device level IOASID granularity. Logically this is just an
> internal iommu_group_for_each_dev() in the BIND ioctl. Thanks,
At a high level it sounds OK.
However I think your above question needs to be answered - what do we
want to enforce on the iommu_fd and why?
Also, this creates a problem with the device label idea, we still
need to associate each device_fd with a label, so your above sequence
is probably:
VFIO_GROUP_BIND_IOASID_FD(group fd)
VFIO_BIND_IOASID_FD(device fd 1, device_label)
VFIO_BIND_IOASID_FD(device fd 2, device_label)
VFIO_DEVICE_ATTACH_IOASID(..)
And then I think we are back to where I had started, we can trigger
whatever VFIO_GROUP_BIND_IOASID_FD does automatically as soon as all
of the devices in the group have been bound.
Jason
Powered by blists - more mailing lists