Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4002390ybb; Mon, 6 Apr 2020 21:44:01 -0700 (PDT) X-Google-Smtp-Source: APiQypJXSX8wm3ByigFpGgX4Wg8MBMojfq+JhrQHQ0f1JE23oBQ2lwkdzuUYKG5tAhaaucL5c4o8 X-Received: by 2002:a9d:1a4:: with SMTP id e33mr108159ote.343.1586234640873; Mon, 06 Apr 2020 21:44:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586234640; cv=none; d=google.com; s=arc-20160816; b=Jjrk30bvKsbjWsq9o+PaJ6bLWZsV8JPk3OlpKXimADa8elfTxl+IrgSsH/2cZEHkLp A8tPPhoFLUQv10X8WY+qWcTsd1YC+/ebVCXrZxNXn+bSPcIULFg7fymHuQdESnhhTaTB +v00jfdHGJYps6KqdiO9RhNcUZtIJ7T4AEz0HzEURdT24MZF9dwKI3XfQ4qk985q4eEx /zuyY3OFvgM6ZlmdZLr5HWDM7PfQTqU9jDR8xhSsFNayauSdTDz1PRONZXJ1gm62pjer YFW0LZVaIeAY/A2W0g5ltK0/vb+UHTLjynpp2n3MMCUwP+yAWTpBpnj7wkiYDe7Gqeyw JLpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=3V9KpHs9HZxE0fMkLUxqH/ePyY7cLfYjugdguBxYrbk=; b=F9wUR3ajCfoWMcV5XZDqDmG5hO1N+2ortvk1g92HBjb3sERI8m/T/rCpNzhyczwVE9 xDUMvXWLcWXPbWC3D+/LGCGpSbIw8l/6BcrMWPFg1wmpMOro/zEtHHABw3lqzFiF2YSm FTHK2dYT4pdmc0zygsqUlbHxSHg8YlRQoq1IpcK9NwattwdnzhKrnMTMhWMbm1x3gCQm t6UxptGfG7eYxNzgPzG1/O531okP4zpKhdcmhuvzdBxCdV1f39jGb9xfyiAXH5IHQauN dM5XKDxWjcoRD72QHNnehc9yoMJwt7z3p9JI595IqdQ97X0t8GX8K9Jdu9S/bcL3uZnt tmfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x14si662298ooc.26.2020.04.06.21.43.33; Mon, 06 Apr 2020 21:44:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726631AbgDGEmI convert rfc822-to-8bit (ORCPT + 99 others); Tue, 7 Apr 2020 00:42:08 -0400 Received: from mga17.intel.com ([192.55.52.151]:17836 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726030AbgDGEmI (ORCPT ); Tue, 7 Apr 2020 00:42:08 -0400 IronPort-SDR: hUa8O12FfDkETebE29P0A0Lp6Dk8cIsy5l7z3Szq9FB/rg42W0SUvP2TCiAtw41m5d8viJb4GG ra+cDHT9pkow== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Apr 2020 21:42:08 -0700 IronPort-SDR: 4wrchvln1lQFNDC1/x6Jh7XDy16JIOWo1Y1Q8iiWViMp1DfJ4gs5bM6IOxf6z16mrLg5Es3a11 hEVmoXmvDIaQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,353,1580803200"; d="scan'208";a="248295728" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga008.jf.intel.com with ESMTP; 06 Apr 2020 21:42:07 -0700 Received: from fmsmsx605.amr.corp.intel.com (10.18.126.85) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 6 Apr 2020 21:42:06 -0700 Received: from fmsmsx605.amr.corp.intel.com (10.18.126.85) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 6 Apr 2020 21:42:06 -0700 Received: from shsmsx107.ccr.corp.intel.com (10.239.4.96) by fmsmsx605.amr.corp.intel.com (10.18.126.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Mon, 6 Apr 2020 21:42:06 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.225]) by SHSMSX107.ccr.corp.intel.com ([169.254.9.191]) with mapi id 14.03.0439.000; Tue, 7 Apr 2020 12:42:03 +0800 From: "Tian, Kevin" To: Alex Williamson CC: "Liu, Yi L" , "eric.auger@redhat.com" , "jacob.jun.pan@linux.intel.com" , "joro@8bytes.org" , "Raj, Ashok" , "Tian, Jun J" , "Sun, Yi Y" , "jean-philippe@linaro.org" , "peterx@redhat.com" , "iommu@lists.linux-foundation.org" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "Wu, Hao" Subject: RE: [PATCH v1 1/8] vfio: Add VFIO_IOMMU_PASID_REQUEST(alloc/free) Thread-Topic: [PATCH v1 1/8] vfio: Add VFIO_IOMMU_PASID_REQUEST(alloc/free) Thread-Index: AQHWAEUbvuzF5+3jpEaYhihTFzMRG6hlp7CAgAFQhyCAABZAAIAGGnZw Date: Tue, 7 Apr 2020 04:42:02 +0000 Message-ID: References: <1584880325-10561-1-git-send-email-yi.l.liu@intel.com> <1584880325-10561-2-git-send-email-yi.l.liu@intel.com> <20200402115017.0a0f55e2@w520.home> <20200403091424.39383958@w520.home> In-Reply-To: <20200403091424.39383958@w520.home> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > From: Alex Williamson > Sent: Friday, April 3, 2020 11:14 PM > > On Fri, 3 Apr 2020 05:58:55 +0000 > "Tian, Kevin" wrote: > > > > From: Alex Williamson > > > Sent: Friday, April 3, 2020 1:50 AM > > > > > > On Sun, 22 Mar 2020 05:31:58 -0700 > > > "Liu, Yi L" wrote: > > > > > > > From: Liu Yi L > > > > > > > > For a long time, devices have only one DMA address space from > platform > > > > IOMMU's point of view. This is true for both bare metal and directed- > > > > access in virtualization environment. Reason is the source ID of DMA in > > > > PCIe are BDF (bus/dev/fnc ID), which results in only device granularity > > > > DMA isolation. However, this is changing with the latest advancement in > > > > I/O technology area. More and more platform vendors are utilizing the > > > PCIe > > > > PASID TLP prefix in DMA requests, thus to give devices with multiple > DMA > > > > address spaces as identified by their individual PASIDs. For example, > > > > Shared Virtual Addressing (SVA, a.k.a Shared Virtual Memory) is able to > > > > let device access multiple process virtual address space by binding the > > > > virtual address space with a PASID. Wherein the PASID is allocated in > > > > software and programmed to device per device specific manner. > Devices > > > > which support PASID capability are called PASID-capable devices. If such > > > > devices are passed through to VMs, guest software are also able to bind > > > > guest process virtual address space on such devices. Therefore, the > guest > > > > software could reuse the bare metal software programming model, > which > > > > means guest software will also allocate PASID and program it to device > > > > directly. This is a dangerous situation since it has potential PASID > > > > conflicts and unauthorized address space access. It would be safer to > > > > let host intercept in the guest software's PASID allocation. Thus PASID > > > > are managed system-wide. > > > > > > Providing an allocation interface only allows for collaborative usage > > > of PASIDs though. Do we have any ability to enforce PASID usage or can > > > a user spoof other PASIDs on the same BDF? > > > > An user can access only PASIDs allocated to itself, i.e. the specific IOASID > > set tied to its mm_struct. > > A user is only _supposed_ to access PASIDs allocated to itself. AIUI > the mm_struct is used for managing the pool of IOASIDs from which the > user may allocate that PASID. We also state that programming the PASID > into the device is device specific. Therefore, are we simply trusting > the user to use a PASID that's been allocated to them when they program > the device? If a user can program an arbitrary PASID into the device, > then what prevents them from attempting to access data from another > user via the device? I think I've asked this question before, so if > there's a previous explanation or spec section I need to review, please > point me to it. Thanks, > There are two scenarios: (1) for PF/VF, the iommu driver maintains an individual PASID table per PDF. Although the PASID namespace is global, the per-BDF PASID table contains only valid entries for those PASIDs which are allocated to the mm_struct. The user is free to program arbitrary PASID into the assigned device, but using invalid PASIDs simply hit iommu fault. (2) for mdev, multiple mdev instances share the same PASID table of the parent BDF. However, PASID programming is a privileged operation in multiplexing usage, thus must be mediated by mdev device driver. The mediation logic will guarantee that only allocated PASIDs are forwarded to the device. Thanks Kevin