[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210929125716.GT964074@nvidia.com>
Date: Wed, 29 Sep 2021 09:57:16 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: David Gibson <david@...son.dropbear.id.au>
Cc: "Tian, Kevin" <kevin.tian@...el.com>,
"Liu, Yi L" <yi.l.liu@...el.com>,
"alex.williamson@...hat.com" <alex.williamson@...hat.com>,
"hch@....de" <hch@....de>,
"jasowang@...hat.com" <jasowang@...hat.com>,
"joro@...tes.org" <joro@...tes.org>,
"jean-philippe@...aro.org" <jean-philippe@...aro.org>,
"parav@...lanox.com" <parav@...lanox.com>,
"lkml@...ux.net" <lkml@...ux.net>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"lushenming@...wei.com" <lushenming@...wei.com>,
"eric.auger@...hat.com" <eric.auger@...hat.com>,
"corbet@....net" <corbet@....net>,
"Raj, Ashok" <ashok.raj@...el.com>,
"yi.l.liu@...ux.intel.com" <yi.l.liu@...ux.intel.com>,
"Tian, Jun J" <jun.j.tian@...el.com>, "Wu, Hao" <hao.wu@...el.com>,
"Jiang, Dave" <dave.jiang@...el.com>,
"jacob.jun.pan@...ux.intel.com" <jacob.jun.pan@...ux.intel.com>,
"kwankhede@...dia.com" <kwankhede@...dia.com>,
"robin.murphy@....com" <robin.murphy@....com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"iommu@...ts.linux-foundation.org" <iommu@...ts.linux-foundation.org>,
"dwmw2@...radead.org" <dwmw2@...radead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"baolu.lu@...ux.intel.com" <baolu.lu@...ux.intel.com>,
"nicolinc@...dia.com" <nicolinc@...dia.com>
Subject: Re: [RFC 06/20] iommu: Add iommu_device_init[exit]_user_dma
interfaces
On Wed, Sep 29, 2021 at 04:35:19PM +1000, David Gibson wrote:
> Yes, exactly. And with a group interface it's obvious it has to
> understand it. With the non-group interface, you can get to this
> stage in ignorance of groups. It will even work as long as you are
> lucky enough only to try with singleton-group devices. Then you try
> it with two devices in the one group and doing (3) on device A will
> implicitly change the DMA environment of device B.
The security model here says this is fine.
This idea to put the iommu code in charge of security is quite clean,
as I said in the other mail drivers attached to 'struct devices *'
tell the iommu layer what they are are doing:
iommu_set_device_dma_owner(dev, DMA_OWNER_KERNEL, NULL)
iommu_set_device_dma_owner(dev, DMA_OWNER_SHARED, NULL)
iommu_set_device_dma_owner(dev, DMA_OWNER_USERSPACE, group_file/iommu_file)
And it decides if it is allowed.
If device A is allowed to go to userspace then security wise it is
deemed fine that B is impacted. That is what we have defined already
today.
This proposal does not free userpace from having to understand this!
The iommu_group sysfs is still there and still must be understood.
The *admin* the one responsible to understand the groups, not the
applications. The admin has no idea what a group FD is - they should
be looking at the sysfs and seeing the iommu_group directories.
Jason
Powered by blists - more mailing lists