[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1471300400.12231.130.camel@kernel.crashing.org>
Date: Tue, 16 Aug 2016 08:33:20 +1000
From: Benjamin Herrenschmidt <benh@...nel.crashing.org>
To: "Rustad, Mark D" <mark.d.rustad@...el.com>
Cc: Alex Williamson <alex.williamson@...hat.com>,
Alexander Duyck <alexander.duyck@...il.com>,
Alexey Kardashevskiy <aik@...abs.ru>,
Bjorn Helgaas <helgaas@...nel.org>,
Hannes Reinecke <hare@...e.de>,
"linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Babu Moger <babu.moger@...cle.com>,
Paul Mackerras <paulus@...ba.org>,
"santosh@...lsio.com" <santosh@...lsio.com>,
Netdev <netdev@...r.kernel.org>
Subject: Re: [PATCHv2 3/4] pci: Determine actual VPD size on first access
On Tue, 2016-08-16 at 08:23 +1000, Benjamin Herrenschmidt wrote:
> > I don't think desktop users appreciate hangs any more than anyone else, and
> > that is one of the symptoms that can arise here without the vfio
> > coordination.
>
> And can happen with it as well....
Oh and your response was completely besides the point I was trying
to make, just some passive aggressive noise, thank you.
The point was that if you want the sort of safety that we are trying
to aim for, without additional HW support, you basically have to do
the isolation on a granularity no smaller than a bridge/bus (with the
notable exception of SR-IOV of course).
Otherwise guest *will* be able to harm each other (or the host) in
all sorts of ways if anything because devices will have MMIO backdoors
into their own BAR space, or can be made to DMA to a neighbour, etc...
This is the only safe thing to do (and we are enforcing that on POWER
with our IOMMU groups).
Now that being said, if you want to keep the ability to assign 2 functions
of a device to different guests for your average non-critical desktop user,
that's where you may want to consider two models.
Generally speaking, filtering things for "safety" won't work.
Filtering things to work around bugs in existing guests to avoid crashes
is a different kettle of fish and could be justified but keep in mind that
in most cases a malicious guest will be able to exploit those HW flaws.
Assuming that a device coming back from a guest is functional and not
completely broken and can be re-used without a full PERST or power cycle
is a wrong assumption. It may or may not work, no amount of "filtering"
will fix the fundamental issue. If your HW won't give you access to PERST
well ... blame Intel for not specifying a standard way to generate it in
the first place :-)
Cheers,
Ben.
Powered by blists - more mailing lists