| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250512140617.GA285583@nvidia.com> Date: Mon, 12 May 2025 11:06:17 -0300 From: Jason Gunthorpe <jgg@...dia.com> To: Alexey Kardashevskiy <aik@....com> Cc: Xu Yilun <yilun.xu@...ux.intel.com>, kvm@...r.kernel.org, dri-devel@...ts.freedesktop.org, linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org, sumit.semwal@...aro.org, christian.koenig@....com, pbonzini@...hat.com, seanjc@...gle.com, alex.williamson@...hat.com, vivek.kasireddy@...el.com, dan.j.williams@...el.com, yilun.xu@...el.com, linux-coco@...ts.linux.dev, linux-kernel@...r.kernel.org, lukas@...ner.de, yan.y.zhao@...el.com, daniel.vetter@...ll.ch, leon@...nel.org, baolu.lu@...ux.intel.com, zhenzhong.duan@...el.com, tao1.su@...el.com Subject: Re: [RFC PATCH 00/12] Private MMIO support for private assigned dev On Mon, May 12, 2025 at 07:30:21PM +1000, Alexey Kardashevskiy wrote: > > > I'm surprised by this.. iommufd shouldn't be doing PCI stuff, it is > > > just about managing the translation control of the device. > > > > I have a little difficulty to understand. Is TSM bind PCI stuff? To me > > it is. Host sends PCI TDISP messages via PCI DOE to put the device in > > TDISP LOCKED state, so that device behaves differently from before. Then > > why put it in IOMMUFD? > > > "TSM bind" sets up the CPU side of it, it binds a VM to a piece of > IOMMU on the host CPU. The device does not know about the VM, it > just enables/disables encryption by a request from the CPU (those > start/stop interface commands). And IOMMUFD won't be doing DOE, the > platform driver (such as AMD CCP) will. Nothing to do for VFIO here. > > We probably should notify VFIO about the state transition but I do > not know VFIO would want to do in response. We have an awkward fit for what CCA people are doing to the various Linux APIs. Looking somewhat maximally across all the arches a "bind" for a CC vPCI device creation operation does: - Setup the CPU page tables for the VM to have access to the MMIO - Revoke hypervisor access to the MMIO - Setup the vIOMMU to understand the vPCI device - Take over control of some of the IOVA translation, at least for T=1, and route to the the vIOMMU - Register the vPCI with any attestation functions the VM might use - Do some DOE stuff to manage/validate TDSIP/etc So we have interactions of things controlled by PCI, KVM, VFIO, and iommufd all mushed together. iommufd is the only area that already has a handle to all the required objects: - The physical PCI function - The CC vIOMMU object - The KVM FD - The CC vPCI object Which is why I have been thinking it is the right place to manage this. It doesn't mean that iommufd is suddenly doing PCI stuff, no, that stays in VFIO. > > > So your issue is you need to shoot down the dmabuf during vPCI device > > > destruction? > > > > I assume "vPCI device" refers to assigned device in both shared mode & > > prvate mode. So no, I need to shoot down the dmabuf during TSM unbind, > > a.k.a. when assigned device is converting from private to shared. > > Then recover the dmabuf after TSM unbind. The device could still work > > in VM in shared mode. What are you trying to protect with this? Is there some intelism where you can't have references to encrypted MMIO pages? > > What I really want is, one SW component to manage MMIO dmabuf, secure > > iommu & TSM bind/unbind. So easier coordinate these 3 operations cause > > these ops are interconnected according to secure firmware's requirement. > > This SW component is QEMU. It knows about FLRs and other config > space things, it can destroy all these IOMMUFD objects and talk to > VFIO too, I've tried, so far it is looking easier to manage. Thanks, Yes, qemu should be sequencing this. The kernel only needs to enforce any rules required to keep the system from crashing. Jason
Powered by blists - more mailing lists