Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Mon, 1 Apr 2019 10:44:01 +0300
From:   Mika Westerberg <mika.westerberg@linux.intel.com>
To:     Lukas Wunner <lukas@wunner.de>
Cc:     Mario.Limonciello@dell.com, linux-kernel@vger.kernel.org,
        michael.jamet@intel.com, YehezkelShB@gmail.com,
        andreas.noever@gmail.com, andriy.shevchenko@linux.intel.com,
        ckellner@redhat.com
Subject: Re: [PATCH v3 00/36] thunderbolt: Software connection manager
 improvements
Message-ID: <20190401074401.GO3622@lahna.fi.intel.com>
References: <20190328123633.42882-1-mika.westerberg@linux.intel.com>
 <1aaab9baea4f46b481b5601dfb060104@ausx13mpc120.AMER.DELL.COM>
 <20190328165621.GB3622@lahna.fi.intel.com>
 <20190401043111.smpqjn3dhgitmh3e@wunner.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190401043111.smpqjn3dhgitmh3e@wunner.de>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Mon, Apr 01, 2019 at 06:31:11AM +0200, Lukas Wunner wrote:
> On Thu, Mar 28, 2019 at 06:56:21PM +0200, Mika Westerberg wrote:
> > On Thu, Mar 28, 2019 at 03:17:57PM +0000, Mario.Limonciello@dell.com wrote:
> > > > From: Mika Westerberg <mika.westerberg@linux.intel.com>
> > > > Sent: Thursday, March 28, 2019 7:36 AM
> > > >   * Do not automatically create PCIe tunnels. Instead we implement "user"
> > > >     security level in the software connection manager as well taking
> > > >     advantage of the existing sysfs interfaces. This allows user to disable
> > > >     PCIe tunneling completely or implement different white listing
> > > >     policies. Major distros include bolt system daemon that takes care of
> > > >     this.
> > > 
> > > This is a bit unfortunate.  Is this because of IOMMU limitations in working
> > > with devices down the chain?
> > 
> > No, it just makes it possible to do things such as "disable all PCIe
> > tunneling", like the master switch we have in GNOME UI.
> 
> It appears to be a change in behavior though as PCIe tunnels are
> currently established automatically on Macs which don't use ICM.
> The change might be considered breaking userspace, not sure.

I don't think userspace is breaking here. The userspace interface we
provide is through sysfs and only change we do in this series that could
affect is in the patch 05. I Cc'd Mario and Christian just to make sure
fwupd and bolt still keep working (these are the two userspace
applications using the interface AFAIK).

I think you mean user experience instead. It should not affect because
if you run any major distro all the components including GNOME UI are
prepared to handle this.

> Also on macOS it's just plug and play without any need to configure
> whitelists or anything.

macOS does have whitelist too. If you plug in unsupported device you
don't get to use it and it is listed as "unsupported" in the system
report. I'm not sure if end users can tune the list.

In Linux side I would really like to make it possible to implement
whitelisting and disabling PCIe tunneling, and since we already have the
interface for that (the sysfs ABI) it only makes sense to use it. That
interface allows userspace to implement different kinds of policies from
disabling all PCIe tunneling to allowing everything (it can be done
using simple udev rule).