Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp8478602ybn; Tue, 1 Oct 2019 08:40:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqzMTv4cZizybL6K+U/OXzkeciKEnypfRQqIynU3VJ4yAm3RrDLah3XytQu+UXJpIHBEl/4i X-Received: by 2002:a17:906:3286:: with SMTP id 6mr24513230ejw.37.1569944403351; Tue, 01 Oct 2019 08:40:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569944403; cv=none; d=google.com; s=arc-20160816; b=KPXfg2BEk2yAJfGGRb1BBkgcv2idbVKBxRZC0vGwTBrY8RaSrDSB7SMB72RewPmt/8 kzW63W+gUQ6Y96LHvtk9lsamruNEFMNklE628ifReK4XApjokvqjUAXqILaimH1b965b 3iKldX2K7d34Kp4MJvc3JMmHuuRNcns+t/hO4NowBxhfU8SqtfHQW4vNgbPLabRSqwpH sqy1e0tejcYeFW62oPdXaNazYoukp/ypQ4s+OF3QL/e5OVMXD9t4Nvh2WVsokIpdNo7Y wE5ktT2lB1tq2iZuxvvxmOoiNs/fqgCyWuWOHFRkCaIzPS3lbCiVgLKkLkouf6FxgpHg LdhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=7NqBe/zIrz7RxIunL0FlyfFbkWCNP5Fl5skY/KRRJfo=; b=wC+p/RIR0wFlNvltBgqZPk0JgWNOAFhpMNcHIr4ypteIvRQ/3PJifOLtTRoCXyYYjG qLJygEcxUFA2pe5g7onBuAC6d+yFB1JD2TlHRs6/viGoKPqkL2VnZIt5GKuzo0nqg4Hd 4y3qzn/N1N9JiVwuaXJI3+aPybuIZlyafkxDSG62TDHw1XjatdMDVTjRSZSF1VXv5Ymj 2uznUQfZb1tqOdntx+qRSOHeIlVlRhE+F7j504uJLRzMgiXrM4F73EPHIz0K2k2yh+nU YbvezDJjKl4ZFPyIDSkOFnk9QTr5e1xAImNrH/r9OqnQSTCzhf8rXgDWOXtx9gmPrDnZ b0vA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m12si8769562eja.9.2019.10.01.08.39.38; Tue, 01 Oct 2019 08:40:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389617AbfJAPiy (ORCPT + 99 others); Tue, 1 Oct 2019 11:38:54 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39342 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727236AbfJAPix (ORCPT ); Tue, 1 Oct 2019 11:38:53 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6AB7C10C0944; Tue, 1 Oct 2019 15:38:53 +0000 (UTC) Received: from x1.home (ovpn-118-102.phx2.redhat.com [10.3.118.102]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0ACC95C226; Tue, 1 Oct 2019 15:38:52 +0000 (UTC) Date: Tue, 1 Oct 2019 09:38:52 -0600 From: Alex Williamson To: Shawn Anastasio Cc: kvm@vger.kernel.org, cohuck@redhat.com, linux-kernel@vger.kernel.org, Donald Dutile Subject: Re: [PATCH RFC 0/1] VFIO: Region-specific file descriptors Message-ID: <20191001093852.5c1d9c7c@x1.home> In-Reply-To: <20190930235533.2759-1-shawn@anastas.io> References: <20190930235533.2759-1-shawn@anastas.io> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.66]); Tue, 01 Oct 2019 15:38:53 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 30 Sep 2019 18:55:32 -0500 Shawn Anastasio wrote: > This patch adds region file descriptors to VFIO, a simple file descriptor type > that allows read/write/mmap operations on a single region of a VFIO device. > > This feature is particularly useful for privileged applications that use VFIO > and wish to share file descriptors with unprivileged applications without > handing over full control of the device. Such as? How do we defined "privileged"? VFIO already allows "unprivileged applications" to own a device, only file permissions are necessary for the VFIO group. Does region level granularity really allow us to claim that the consumer of this fd doesn't have full control of the device? Clearly device ioctls, including interrupts, and DMA mappings are not granted with only access to a region, but said unprivileged application may have absolute full control of the device itself via that region. > It also allows applications to use > regular offsets in read/write/mmap instead of the region index + offset that > must be used with device file descriptors. How is this actually an issue that needs a solution? > The current implementation is very raw (PCI only, no reference counting which > is probably wrong), but I wanted to get a sense to see if this feature is > desired. If it is, tips on how to implement this more correctly are > appreciated. Handling the ownership and life cycle of the region fds is the more complicated problem. If an unprivileged user has an mmap to a device owned by a privileged user, how does it get revoked by the privileged part of this equation? How do we decide which regions merit this support, for instance a device specific region could have just as viable a use case as a BAR. Why does this code limit support to regions supporting mmap but then support read/write as well? Technically, isn't the extent of functionality provided in this RFC already available via the PCI resource files in sysfs? Without a concrete use case, this looks like a solution in search of a problem. Thanks, Alex