Received: by 10.192.165.148 with SMTP id m20csp4101834imm; Mon, 30 Apr 2018 11:45:54 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpYGWtLttJ6VkWfvtX9q/GfcWHzbyOJhj5aObj+zWzkBADijn1pV3BZ7it6aBZKbHwCkMhx X-Received: by 2002:a65:45c2:: with SMTP id m2-v6mr10813312pgr.433.1525113954002; Mon, 30 Apr 2018 11:45:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525113953; cv=none; d=google.com; s=arc-20160816; b=QQpnMpnUps9OUcehzxC/FtRDDLWnAxgAyxq/5oD9vIHUTQ/NN+P/L+hzH2hxaidEzq I5fBHk6H0pAFZennLtl8tM36IZuRtRI4RZuBhCQyYQkO3GV+UAR0fI3Rhq/p4A3fuwMB SlJmu1VkFFWF7dvIW8pGmmqjaL3bp+g+V+haFYsYI9jQyyMERY5PuJKlzMCeIedQXoki RaWcJ+e24fYs6LJwLP7OSemEiwWk8t9yZVbLHAIUxhi3Mihg7InnnSpdhEMNmjUTSDvX 5F1AEuEK/7Fq5neua2/a3lmdzgghZl8e+Kr+stuKup9cYJObTC3pcA1zgwSqJgykzuBQ pwoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=EMe3MEmgk2QRL0x+lDzjvVCxXrDWLfpFDGdTL9Z9BJI=; b=nZgK2h7AIliB4YmYcVhE5RUiWFxvrFOyMNzLE7BP1wACcJZw9qwI72qGFheWUiEAwy MyMrkgJpV9sJ/++1YaTdI0FnIUa9Mi2pttNXa7vo1gK88+vWyVN6tyqHbOOKZj3xPTEw PCNPVfdByHRoOnkKPyKykh7zPaxcgYKPZ6+Em33Qo/8WJtrGCZmnar+sNirpggIqoBPW SdqPi4INNKp0I8SzkajvlKjClRqETqwn70AjuLuoERv6/hn4NqXYsCao3sY/VjfiJh6Z nN/NwxKdKxJlq9vXvKiXqCi2ukIjQOX5jlNoLwWqOYoI+WPdJX4ck0WLD2FlG/KfLVLf 0Fmg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s4-v6si8028252plp.266.2018.04.30.11.45.38; Mon, 30 Apr 2018 11:45:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754891AbeD3Sor (ORCPT + 99 others); Mon, 30 Apr 2018 14:44:47 -0400 Received: from mga06.intel.com ([134.134.136.31]:56304 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752994AbeD3Soq (ORCPT ); Mon, 30 Apr 2018 14:44:46 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 11:44:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,348,1520924400"; d="scan'208";a="47226616" Received: from downor-z87x-ud5h.fm.intel.com (HELO downor-Z87X-UD5H) ([10.1.122.107]) by orsmga003.jf.intel.com with ESMTP; 30 Apr 2018 11:44:45 -0700 Date: Mon, 30 Apr 2018 11:43:47 -0700 From: Dongwon Kim To: Juergen Gross Cc: Oleksandr Andrushchenko , Wei Liu , Artem Mygaiev , konrad.wilk@oracle.com, airlied@linux.ie, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Potrola, MateuszX" , daniel.vetter@intel.com, xen-devel@lists.xenproject.org, boris.ostrovsky@oracle.com, Roger Pau =?iso-8859-1?Q?Monn=E9?= , "Oleksandr_Andrushchenko@epam.com" Subject: Re: [Xen-devel] [PATCH 0/1] drm/xen-zcopy: Add Xen zero-copy helper DRM driver Message-ID: <20180430184347.GA20292@downor-Z87X-UD5H> References: <20180418101058.hyqk3gr3b2ibxswu@MacBook-Pro-de-Roger.local> <20180420071914.GG31310@phenom.ffwll.local> <76cdc65a-7bb1-9377-7bc5-6164e32f7b5d@gmail.com> <20180423115242.ywdwqblj2aseu3fr@citrix.com> <61105351-8896-072b-abf0-757c7f6c0edf@gmail.com> <20180424115437.GT31310@phenom.ffwll.local> <18ab5f76-00b0-42a0-fcb8-e0cbf4cdd527@gmail.com> <20180424203514.GA26787@downor-Z87X-UD5H> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 25, 2018 at 08:12:08AM +0200, Juergen Gross wrote: > On 24/04/18 22:35, Dongwon Kim wrote: > > Had a meeting with Daniel and talked about bringing out generic > > part of hyper-dmabuf to the userspace, which means we most likely > > reuse IOCTLs defined in xen-zcopy for our use-case if we follow > > his suggestion. > > > > So assuming we use these IOCTLs as they are, > > Several things I would like you to double-check.. > > > > 1. returning gref as is to the user space is still unsafe because > > it is a constant, easy to guess and any process that hijacks it can easily > > exploit the buffer. So I am wondering if it's possible to keep dmabuf-to > > -gref or gref-to-dmabuf in kernel space and add other layers on top > > of those in actual IOCTLs to add some safety.. We introduced flink like > > hyper_dmabuf_id including random number but many says even that is still > > not safe. > > grefs are usable by root only. When you have root access in dom0 you can > do evil things to all VMs even without using grants. That is in no way > different to root being able to control all other processes on the > system. I honestly didn't know about this. I believed kernel code simply can map those pages. However, out of curiosity, how is non-root usage of gref prevented in current design? Is there privilege check in grant table driver or hypercalls needed by this page mapping is only enabled for root in hypervisor level? And this is pretty critical information for any use-case using grant-table. Is there any place(doc/website) this is specified/explained? Thanks, DW > > > Juergen