Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp62450pxf; Wed, 31 Mar 2021 16:45:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwY7yLiprstu6x2eJnpxDrO1vpQDs+T1KWdqUAzmwg3eprrP9SOapc4t4JRDqt0SC2PVqcB X-Received: by 2002:a17:906:7257:: with SMTP id n23mr6383159ejk.412.1617234323753; Wed, 31 Mar 2021 16:45:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617234323; cv=none; d=google.com; s=arc-20160816; b=suyWQ1D2gz7o21rpcpTg+tIGpHQjkdkoUBeKzZxCn7AlDrasfIN9SKXLKt+Dnv0amt Aq8Law1B4sgkUPSgU/Vv7saZWtOjlcul9ZvoWpuPApka1N5jF6Zhg38qOCNENHlFMvDW gaOGEHmeNxPRwsxprmXoCLtknNIA7xmY4dmLDkSP+d1xtlgAHIYYwnGChUMPWf0l9Q5p 3eqzPi4q7M8+ZDXlSSCUCdTVpn+eqCVN0BCZDvl78tbTY4L87UddlIC4imsGAUSHXRFm apnNRIDxm1ZBy4y2D4wHaltadTF8OWTeEb84Z+x1Sw4FXXt++xDhzClWhsTIWuWxcbd6 R1YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:ironport-sdr:ironport-sdr; bh=JJ+8po6ku4zAHrFStkVVu7DFcgkHi3+H0Qj+mRjQfgE=; b=cCYU+2Q3UJ3dqZk87eub1/Q2cxS4lYhU/AAt3h2N5AsIzisbwXazUS0bM50OGpLvif 9o/HB+gVdlFLvOdqdigexYUs54WKpImRlUZTNQ4TSZrT8Xli8QiCpPSldwcqy66F9aFK zM6dKfc6REnWw3dU3a7a/eZZa3/YdNhyBhj7dBGKC5nQENTQa4buY63I+w6+bi4FYhEk enBwDPqba/Yp9xoDZKLHESLduiqCbB19jVOks5rSLRe2014SW6S9VXHmLVqqKNap7nmN fmSeCy/X8r3hHU7PjVzo7qv5Nz+mchq6NoZYepGLfF41OnZ2bubOVcMWOYa2P6IyMFKA S89Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g11si2883125ejd.733.2021.03.31.16.45.01; Wed, 31 Mar 2021 16:45:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232690AbhCaXoF (ORCPT + 99 others); Wed, 31 Mar 2021 19:44:05 -0400 Received: from mga02.intel.com ([134.134.136.20]:36876 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229515AbhCaXnv (ORCPT ); Wed, 31 Mar 2021 19:43:51 -0400 IronPort-SDR: p6+cgFZ/1GpeleyupLG9VADpRHvDNTSKp4+PXF2WvgPmCu4PT3Ce0xe0vbDUhdMJFRPeaT2nDY yJAfl0z8x+fQ== X-IronPort-AV: E=McAfee;i="6000,8403,9940"; a="179243180" X-IronPort-AV: E=Sophos;i="5.81,295,1610438400"; d="scan'208";a="179243180" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2021 16:43:50 -0700 IronPort-SDR: VRxcxsUEV0sH/4DZfBI5I2LaEnMUx/NQkTnVoC7WXr8JeuKEuNiKMslo/z7SMKRlFQ9KRG92fm ptyyNqAhMyTQ== X-IronPort-AV: E=Sophos;i="5.81,295,1610438400"; d="scan'208";a="379087406" Received: from jacob-builder.jf.intel.com (HELO jacob-builder) ([10.7.199.155]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2021 16:43:50 -0700 Date: Wed, 31 Mar 2021 16:46:21 -0700 From: Jacob Pan To: Jason Gunthorpe Cc: "Liu, Yi L" , "Tian, Kevin" , Jean-Philippe Brucker , LKML , Joerg Roedel , Lu Baolu , David Woodhouse , "iommu@lists.linux-foundation.org" , "cgroups@vger.kernel.org" , Tejun Heo , Li Zefan , Johannes Weiner , Jean-Philippe Brucker , Alex Williamson , Eric Auger , Jonathan Corbet , "Raj, Ashok" , "Wu, Hao" , "Jiang, Dave" , jacob.jun.pan@linux.intel.com Subject: Re: [PATCH V4 05/18] iommu/ioasid: Redefine IOASID set and allocation APIs Message-ID: <20210331164621.5f0b0d63@jacob-builder> In-Reply-To: <20210331123801.GD1463678@nvidia.com> References: <20210319124645.GP2356281@nvidia.com> <20210319135432.GT2356281@nvidia.com> <20210319112221.5123b984@jacob-builder> <20210322120300.GU2356281@nvidia.com> <20210324120528.24d82dbd@jacob-builder> <20210329163147.GG2356281@nvidia.com> <20210330132740.GB1403691@nvidia.com> <20210331123801.GD1463678@nvidia.com> Organization: OTC X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jason, On Wed, 31 Mar 2021 09:38:01 -0300, Jason Gunthorpe wrote: > > > Get rid of the ioasid set. > > > > > > Each driver has its own list of allowed ioasids. > [...] > > The /dev/ioasid FD replaces this security check. By becoming FD > centric you don't need additional kernel security objects. > > Any process with access to the /dev/ioasid FD is allowed to control > those PASID. The seperation between VMs falls naturally from the > seperation of FDs without creating additional, complicated, security > infrastrucure in the kernel. > > This is why all APIs must be FD focused, and you need to have a > logical layering of responsibility. > > Allocate a /dev/ioasid FD > Allocate PASIDs inside the FD > Assign memory to the PASIDS > > Open a device FD, eg from VFIO or VDP > Instruct the device FD to authorize the device to access PASID A in > an ioasid FD How do we know user provided PASID A was allocated by the ioasid FD? Shouldn't we validate user input by tracking which PASIDs are allocated by which ioasid FD? This is one reason why we have ioasid_set and its xarray. > * Prior to being authorized the device will have NO access to any > PASID > * Presenting BOTH the device FD and the ioasid FD to the kernel > is the security check. Any process with both FDs is allowed to > make the connection. This is normal Unix FD centric thinking. > > > > Register a ioasid in the driver's list by passing the fd and ioasid # > > > > > > > The fd here is a device fd. Am I right? > > It would be the vfio_device FD, for instance, and a VFIO IOCTL. > > > If yes, your idea is ioasid is allocated via /dev/ioasid and > > associated with device fd via either VFIO or vDPA ioctl. right? > > sorry I may be asking silly questions but really need to ensure we > > are talking in the same page. > > Yes, this is right > > > > No listening to events. A simple understandable security model. > > > > For this suggestion, I have a little bit concern if we may have A-B/B-A > > lock sequence issue since it requires the /dev/ioasid (if it supports) > > to call back into VFIO/VDPA to check if the ioasid has been registered > > to device FD and record it in the per-device list. right? Let's have > > more discussion based on the skeleton sent by Kevin. > > Callbacks would be backwards. > > User calls vfio with vfio_device fd and dev/ioasid fd > > VFIO extracts some kernel representation of the ioasid from the ioasid > fd using an API > This lookup API seems to be asking for per ioasid FD storage array. Today, the ioasid_set is per mm and contains a Xarray. Since each VM, KVM can only open one ioasid FD, this per FD array would be equivalent to the per mm ioasid_set, right? > VFIO does some kernel call to IOMMU/IOASID layer that says 'tell the > IOMMU that this PCI device is allowed to use this PASID' > Would it be redundant to what iommu_uapi_sva_bind_gpasid() does? I thought the idea is to use ioasid FD IOCTL to issue IOMMU uAPI calls. Or we can skip this step for now and wait for the user to do SVA bind. > VFIO mdev drivers then record that the PASID is allowed in its own > device specific struct for later checking during other system calls. Thanks, Jacob