Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp3318250pxb; Tue, 20 Apr 2021 05:51:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKV4kLXd0RtFftbidAjbmbhOK4ZrTVvLmIcLaRWY18VVdSy7MJnGMdsipZRznK313GcLf3 X-Received: by 2002:aa7:cb90:: with SMTP id r16mr32924524edt.139.1618923098821; Tue, 20 Apr 2021 05:51:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618923098; cv=none; d=google.com; s=arc-20160816; b=NDOtzH8UpFeJb+BTQYWHyWI6Tgzv4WtVsuk6juVZMo0Au9pwXt/kkTbKOa84VYQRpK nVlM8iez5iHfy+wEavw7Izi+s+UYc51tgIgcGXtDr2OnE652oobXIdGihLGD2N3YbQ1G sETCoLICyQk0LR7kbwkrljwjQ6OIeLxSj9nNw9fDjx6Koj/VdPWi+8NCN4fuDmwgror3 0UjJFOel7wA624bCb1dg/2zhtDHFRzBDU6nq1yQ6LpY0O0N+hLnibFc+gI/9YLSNOgIu LPszkqAMuBxgl9CqiAE7+0HI/h6hTeKAgzwitBRiuQP+2tFQhwkdG+6LOV82X0Uueid0 2x3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=G5yRIbLb0wrh+Eceu5VbKSl+XFcD3wQcxc2FfB4qRUw=; b=TrC6SLs67Z6gJRV0N71D//QqFtetd4yyCPzB+6dKNLmyJ46sa4DDKDIA0gIWWd/tIA dzBsPgsjW0UhqSQQE8sMeEclJwJLOQarCF8ExBpTLdHajoZmlt98Du7BztQs2mJKGTC+ d6XLNkS63JGJU8/uJUoCp2iXXZIfYWxkCVeiIhyS6Uva8gdRJGuzf64blLxJeRC8xiuV qbRtYemoX3z9HdlgC0nnol2Rdt6fafvdED0WBwIhA/d8s1fbKRdYhtioQf+Sdlp3IKOk grg//mRf37Tz9tQUp+Cp8q3XXbKiS915flEr0BQMWQl3qoVcw6/oH+vP9pFgwgfCtOjj s8uw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m9si14697167ejj.645.2021.04.20.05.51.15; Tue, 20 Apr 2021 05:51:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232026AbhDTMut (ORCPT + 99 others); Tue, 20 Apr 2021 08:50:49 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:16144 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230408AbhDTMus (ORCPT ); Tue, 20 Apr 2021 08:50:48 -0400 Received: from DGGEMS407-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4FPk3R0lJvzpZfN; Tue, 20 Apr 2021 20:47:15 +0800 (CST) Received: from [10.67.102.118] (10.67.102.118) by DGGEMS407-HUB.china.huawei.com (10.3.19.207) with Microsoft SMTP Server id 14.3.498.0; Tue, 20 Apr 2021 20:50:12 +0800 Subject: Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio To: Jason Gunthorpe CC: , , , References: <1618284983-55581-1-git-send-email-liulongfang@huawei.com> <1618284983-55581-3-git-send-email-liulongfang@huawei.com> <20210415220137.GA1672608@nvidia.com> <10d53c5d-e6d5-a165-84b2-eaf8a3b7dcce@huawei.com> <20210419123314.GT1370958@nvidia.com> From: liulongfang Message-ID: <00c4fa43-21fa-a48b-b95d-a2310ffab725@huawei.com> Date: Tue, 20 Apr 2021 20:50:12 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20210419123314.GT1370958@nvidia.com> Content-Type: text/plain; charset="gbk" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.102.118] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021/4/19 20:33, Jason Gunthorpe wrote: > On Mon, Apr 19, 2021 at 08:24:40PM +0800, liulongfang wrote: > >>> I'm also confused how this works securely at all, as a general rule a >>> VFIO PCI driver cannot access the MMIO memory of the function it is >>> planning to assign to the guest. There is a lot of danger that the >>> guest could access that MMIO space one way or another. >> >> VF's MMIO memory is divided into two parts, one is the guest part, >> and the other is the live migration part. They do not affect each other, >> so there is no security problem. > > AFAIK there are several scenarios where a guest can access this MMIO > memory using DMA even if it is not mapped into the guest for CPU > access. > The hardware divides VF's MMIO memory into two parts. The live migration driver in the host uses the live migration part, and the device driver in the guest uses the guest part. They obtain the address of VF's MMIO memory in their respective drivers, although these two parts The memory is continuous on the hardware device, but due to the needs of the drive function, they will not perform operations on another part of the memory, and the device hardware also independently responds to the operation commands of the two parts. So, I still don't understand what the security risk you are talking about is, and what do you think the security design should look like? Can you elaborate on it? >> If pci_release_mem_regions() is not added here, >> The guests using pci_request_mem_regions() will return an error. >> Then, the guest will not be able to obtain the MMIO address of the VF. > > Which is why VFIO has this protection to prevent sharing MMIO regions > on the VF assigned to the guest > > Jason > . > Thanks. Longfang.