lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aMyUxqSEBHeHAPIn@kbusch-mbp>
Date: Thu, 18 Sep 2025 17:24:54 -0600
From: Keith Busch <kbusch@...nel.org>
To: Jason Gunthorpe <jgg@...pe.ca>
Cc: Alex Mastro <amastro@...com>,
	Alex Williamson <alex.williamson@...hat.com>,
	Kevin Tian <kevin.tian@...el.com>,
	Bjorn Helgaas <bhelgaas@...gle.com>, David Reiss <dreiss@...a.com>,
	Joerg Roedel <joro@...tes.org>, Leon Romanovsky <leon@...nel.org>,
	Li Zhe <lizhe.67@...edance.com>, Mahmoud Adam <mngyadam@...zon.de>,
	Philipp Stanner <pstanner@...hat.com>,
	Robin Murphy <robin.murphy@....com>,
	Vivek Kasireddy <vivek.kasireddy@...el.com>,
	Will Deacon <will@...nel.org>, Yunxiang Li <Yunxiang.Li@....com>,
	linux-kernel@...r.kernel.org, iommu@...ts.linux.dev,
	kvm@...r.kernel.org
Subject: Re: [TECH TOPIC] vfio, iommufd: Enabling user space drivers to vend
 more granular access to client processes

On Thu, Sep 18, 2025 at 07:57:39PM -0300, Jason Gunthorpe wrote:
> On Thu, Sep 18, 2025 at 02:44:07PM -0700, Alex Mastro wrote:
> 
> > We anticipate a growing need to provide more granular access to device resources
> > beyond what the kernel currently affords to user space drivers similar to our
> > model.
> 
> I'm having a somewhat hard time wrapping my head around the security
> model that says your trust your related processes not use DMA in a way
> that is hostile their peers, but you don't trust them not to issue
> hostile ioctls..

I read this as more about having the granularity to automatically
release resources associated with a client process when it dies (as
mentioned below) rather than relying on the bootstrapping process to
manage it all. Not really about hostile ioctls, but that an ungraceful
ending of some client workload doesn't even send them.
 
> > - It would be nice if mappings created with the restricted IOMMU fd were
> >   automatically freed when the underlying kernel object was freed (if the client
> >   process were to exit ungracefully without explicitly performing unmap cleanup
> >   after itself).
> 
> Maybe the BPF could trigger an eventfd or something when the FD closes?

I wouldn't have considered a BPF dependency for this. I'll need to think
about that one for a moment.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ