[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BN9PR11MB5433E6CB4CC0F96DB6E00D978CA89@BN9PR11MB5433.namprd11.prod.outlook.com>
Date: Tue, 28 Sep 2021 23:59:50 +0000
From: "Tian, Kevin" <kevin.tian@...el.com>
To: Jason Gunthorpe <jgg@...dia.com>
CC: "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"jasowang@...hat.com" <jasowang@...hat.com>,
"kwankhede@...dia.com" <kwankhede@...dia.com>,
"hch@....de" <hch@....de>,
"jean-philippe@...aro.org" <jean-philippe@...aro.org>,
"Jiang, Dave" <dave.jiang@...el.com>,
"Raj, Ashok" <ashok.raj@...el.com>,
"corbet@....net" <corbet@....net>,
"parav@...lanox.com" <parav@...lanox.com>,
"alex.williamson@...hat.com" <alex.williamson@...hat.com>,
"lkml@...ux.net" <lkml@...ux.net>,
"david@...son.dropbear.id.au" <david@...son.dropbear.id.au>,
"dwmw2@...radead.org" <dwmw2@...radead.org>,
"Tian, Jun J" <jun.j.tian@...el.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"lushenming@...wei.com" <lushenming@...wei.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"robin.murphy@....com" <robin.murphy@....com>
Subject: RE: [RFC 06/20] iommu: Add iommu_device_init[exit]_user_dma
interfaces
> From: Jason Gunthorpe <jgg@...dia.com>
> Sent: Tuesday, September 28, 2021 7:55 PM
>
> On Tue, Sep 28, 2021 at 07:13:01AM +0000, Tian, Kevin wrote:
> > > From: Jason Gunthorpe <jgg@...dia.com>
> > > Sent: Monday, September 27, 2021 10:40 PM
> > >
> > > On Mon, Sep 27, 2021 at 01:32:34PM +0000, Tian, Kevin wrote:
> > >
> > > > but I'm little worried that even vfio-pci itself cannot be bound now,
> > > > which implies that all devices in a group which are intended to be
> > > > used by the user must be bound to vfio-pci in a breath before the
> > > > user attempts to open any of them, i.e. late-binding and device-
> > > > hotplug is disallowed after the initial open. I'm not sure how
> > > > important such an usage would be, but it does cause user-tangible
> > > > semantics change.
> > >
> > > Oh, that's bad..
> > >
> > > I guess your approach is the only way forward, it will have to be
> > > extensively justified in the commit message for Greg et al.
> > >
> >
> > Just thought about another alternative. What about having driver
> > core to call iommu after call_driver_probe()?
>
> Then the kernel is now already exposed to an insecure scenario, we
> must not do probe if any user device is attached at all.
>
Originally I thought it's fine as long as the entire probe process
is not completed. Based on your comment I feel your concern is
that no guarantee that the driver won't do any iommu related
work in its probe function thus it's insecure?
Thanks
Kevin
Powered by blists - more mailing lists