Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp587972ybb; Fri, 3 Apr 2020 08:17:36 -0700 (PDT) X-Google-Smtp-Source: APiQypL2YkiefJuDSZ6U5/83gv3EHc2eBaEwSoO/0EW78g84VY7agXyxCrg7YZdh6BKMmYjL8JgX X-Received: by 2002:a4a:874f:: with SMTP id a15mr7037358ooi.8.1585927055998; Fri, 03 Apr 2020 08:17:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585927055; cv=none; d=google.com; s=arc-20160816; b=V6qzcNivWz68m7GtdU9UOVC2X0Wb6LzTsxUxYKR00yPrfT6hbE6hfnN7GIWxjQZZcF 6B8997deY4NJcwhz18EiAnsXK6Pf+E8dMEcQzd7vEKOEBH94h+bFV2kOkF3viEXB8bxG WXUzxXk6pi+ajKn7VxeKcNjvJSsf1V6xmlB66E5UAdTb/4Trfl6jfNdTG65KcPOfS7vm HL6vtzQe9G1IXC6IWd4mN7aMZc26tmI8mEaQZGm06akXY+CoParVWHo0n6iBZ17CjGS8 rcNt2O/imYUcpvZJ9e6gZj22hQu4DEyxRf3A8sPkHKXkU7Tm5eyAbM2ywWYpTwIGeVAo 3HKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=oVs6NhxQjzozD2M9mDMSQSn8sBMyBHI3OmZY795chUs=; b=jeO714ZG2laWHVLhUiCtbh3NxLSYLxOOALElUYhOQlQPIju7rpftqp4Vj2H2B23xKh PteOBiJ8cQlX0vojSm7AJKQDruDX/2Br+nbwT3dG6XOLhkdw1whz+QeCNnG7Le94pKbP l65T9kkTjFZlEomPMANq7JE9v1SwHcCNCsnygmerv2k0FAJeYrsfzh+cgG3fnyODBihC lhnitn+sSHLO91Cs9+sWLwwPsyMPpvU2dCIzGTu3L4to8gFeECPjvFjVJyO9akQJtS/c qnggFte0qAdwkmBVeeDbfM1XaymwvhnchYvBAVWrdeF/9vrS+GX/Are5tHCrfClhGwpA k1Kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JbG5P+O8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13si3875324oom.86.2020.04.03.08.17.22; Fri, 03 Apr 2020 08:17:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=JbG5P+O8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404171AbgDCPOi (ORCPT + 99 others); Fri, 3 Apr 2020 11:14:38 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:60646 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2403991AbgDCPOh (ORCPT ); Fri, 3 Apr 2020 11:14:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585926877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oVs6NhxQjzozD2M9mDMSQSn8sBMyBHI3OmZY795chUs=; b=JbG5P+O85KnRGspxazVuEbG2BZcIjDflC1bIUxeP0TenXyc97nECRvMmASEBI+3PVCkKBb JuDZ6j4CB2hLC2c3c2/wVbTUmkEE/8c6zM0K6lurg6lnkgkr29fXiDqNaEsn0pBSN4pCv2 XAtxYwDFoZkJetNBPOfrljxE/j+KmfM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-235-IVqN5ft4P02cANa9XT4wtg-1; Fri, 03 Apr 2020 11:14:33 -0400 X-MC-Unique: IVqN5ft4P02cANa9XT4wtg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2ABA618B5FA9; Fri, 3 Apr 2020 15:14:31 +0000 (UTC) Received: from w520.home (ovpn-112-162.phx2.redhat.com [10.3.112.162]) by smtp.corp.redhat.com (Postfix) with ESMTP id 003F15C1BE; Fri, 3 Apr 2020 15:14:24 +0000 (UTC) Date: Fri, 3 Apr 2020 09:14:24 -0600 From: Alex Williamson To: "Tian, Kevin" Cc: "Liu, Yi L" , "eric.auger@redhat.com" , "jacob.jun.pan@linux.intel.com" , "joro@8bytes.org" , "Raj, Ashok" , "Tian, Jun J" , "Sun, Yi Y" , "jean-philippe@linaro.org" , "peterx@redhat.com" , "iommu@lists.linux-foundation.org" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "Wu, Hao" Subject: Re: [PATCH v1 1/8] vfio: Add VFIO_IOMMU_PASID_REQUEST(alloc/free) Message-ID: <20200403091424.39383958@w520.home> In-Reply-To: References: <1584880325-10561-1-git-send-email-yi.l.liu@intel.com> <1584880325-10561-2-git-send-email-yi.l.liu@intel.com> <20200402115017.0a0f55e2@w520.home> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 3 Apr 2020 05:58:55 +0000 "Tian, Kevin" wrote: > > From: Alex Williamson > > Sent: Friday, April 3, 2020 1:50 AM > > > > On Sun, 22 Mar 2020 05:31:58 -0700 > > "Liu, Yi L" wrote: > > > > > From: Liu Yi L > > > > > > For a long time, devices have only one DMA address space from platform > > > IOMMU's point of view. This is true for both bare metal and directed- > > > access in virtualization environment. Reason is the source ID of DMA in > > > PCIe are BDF (bus/dev/fnc ID), which results in only device granularity > > > DMA isolation. However, this is changing with the latest advancement in > > > I/O technology area. More and more platform vendors are utilizing the > > PCIe > > > PASID TLP prefix in DMA requests, thus to give devices with multiple DMA > > > address spaces as identified by their individual PASIDs. For example, > > > Shared Virtual Addressing (SVA, a.k.a Shared Virtual Memory) is able to > > > let device access multiple process virtual address space by binding the > > > virtual address space with a PASID. Wherein the PASID is allocated in > > > software and programmed to device per device specific manner. Devices > > > which support PASID capability are called PASID-capable devices. If such > > > devices are passed through to VMs, guest software are also able to bind > > > guest process virtual address space on such devices. Therefore, the guest > > > software could reuse the bare metal software programming model, which > > > means guest software will also allocate PASID and program it to device > > > directly. This is a dangerous situation since it has potential PASID > > > conflicts and unauthorized address space access. It would be safer to > > > let host intercept in the guest software's PASID allocation. Thus PASID > > > are managed system-wide. > > > > Providing an allocation interface only allows for collaborative usage > > of PASIDs though. Do we have any ability to enforce PASID usage or can > > a user spoof other PASIDs on the same BDF? > > An user can access only PASIDs allocated to itself, i.e. the specific IOASID > set tied to its mm_struct. A user is only _supposed_ to access PASIDs allocated to itself. AIUI the mm_struct is used for managing the pool of IOASIDs from which the user may allocate that PASID. We also state that programming the PASID into the device is device specific. Therefore, are we simply trusting the user to use a PASID that's been allocated to them when they program the device? If a user can program an arbitrary PASID into the device, then what prevents them from attempting to access data from another user via the device? I think I've asked this question before, so if there's a previous explanation or spec section I need to review, please point me to it. Thanks, Alex