lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 25 Apr 2024 09:41:44 +0800
From: Baolu Lu <baolu.lu@...ux.intel.com>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: baolu.lu@...ux.intel.com, Robin Murphy <robin.murphy@....com>,
 joro@...tes.org, will@...nel.org, ewagner12@...il.com,
 suravee.suthikulpanit@....com, vashegde@....com, iommu@...ts.linux.dev,
 linux-kernel@...r.kernel.org, regressions@...ts.linux.dev
Subject: Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted
 devices

On 4/24/24 10:37 PM, Jason Gunthorpe wrote:
> On Wed, Apr 24, 2024 at 10:18:00PM +0800, Baolu Lu wrote:
> 
>> For example, the intel iommu driver allows users to opt-in graphic in
>> passthrough mode, in that case def_domain_type will return
>> IOMMU_DOMAIN_IDENTITY no matter the device is trusted or not.
>>
>>      if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev))
>>           return IOMMU_DOMAIN_IDENTITY;
>>
>> this potentially creates same conflict as the amd driver.
> These performance policy choices should be done in the core code and
> they should interact correctly with other policy knobs like untrusted.
> 
> If Intel Graphics has some performance reason to prefer IDENTITY then
> it should work the same no matter the IOMMU it is connected to. I
> think just because the GPU is co-packaged with the IOMMU isn't a good
> reason to organize the software like this.
> 
> If having a policy of a performance boost to some devices is
> legitimate then I guess we'd need more levels on the command line:
>   fast           all IDENTITY
>   fast-secure    all DMA expect IDENTIY for special devices
>   mostly-secure  all DMA but unmapping is not strict
>   secure         all DMA and strict unmapping
> 
> How exactly you decide when the performance reason justfies IDENTITY,
> I don't know.. Would mlx5 800G NICs that can overwhelm most IOMMUs
> also go in that bucket too?
> 
> But yes, I'm quite adament that drivers should not be using
> def_domain_type as some kind of performance policy thing.

Yes. I will follow up to address this issue in the intel driver.

Best regards,
baolu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ