Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp295500pxj;
        Thu, 3 Jun 2021 06:59:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx297NuCja3w2Tmw/7EMGgB5RDEImHnBe2mc93elSZ7OWr4ZSIm2CR7tjg4VvtnCY+r4e8B
X-Received: by 2002:a17:906:6c88:: with SMTP id s8mr13682301ejr.129.1622728743724;
        Thu, 03 Jun 2021 06:59:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622728743; cv=none;
        d=google.com; s=arc-20160816;
        b=ToeH6/Uywe22CKWIv/hrvnsuyLyMr9bOTr1zE84rHtbBnlHrg6kvtpCjr63sNfbSBN
         eJrd+vet4uxoaY687SIg2Hs5D5NWc9SPDi3QibEApQemmBzCxc4IZICPQJPNNKpzZaz1
         gHA2gAHwiXvwQKPgJdQQflAQXh6KfK8YtiLM2b7/xnj6pZh4k+Xi/CSie20zMPZrblao
         MG7sn+UGdKqAyd/BLEnt8bJ+cyRpip2I4/9dT/rYjpXuAngrU3ai0+nU9AgxTIGmp/Hk
         iW34SK97UHbNTpRfUzG+4N3vVIX6U9FghrI7Qv/YoWG0EGQbA8+btiPxQb9gv7gXOx/A
         2AmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-language:content-transfer-encoding
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:ironport-sdr:ironport-sdr;
        bh=FmLPjdl4gVZVCZLKLIYDZYLyqmvLgJ+BlhN06ELAPOI=;
        b=ip2v9A1wUUziohqP3ueHbhMVVu4VziUC6ksvgD/1/dG5s8OSIoXCGshwEaEgBsb9HD
         DK9rpsAS3xAYApi5txOIHunRkgHn7k16mqJXh86qCEB/24/5/6izs+02nCGommUMR1dC
         2n3TJuNV6REpj5e893bumOwvQVLhAJqEuJzpQtA2h6MfRcY9ykUIohnURiyf35UPQ8YK
         4/FOLSJpjjALcug2G1UxJqpxFnu91u+bYXGOXlQhaPTrNXSpKroTJLolvIsNEEzAwy4r
         b/3D62k/j/BUQAYZt/VHxspAeOk6oBkEDn3nOFNGEF2UXmKYnBfAGfZh8eQ0h3YJI5xU
         c4Xg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 8si2607621ejx.753.2021.06.03.06.58.41;
        Thu, 03 Jun 2021 06:59:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230386AbhFCN5E (ORCPT <rfc822;luming.yu@gmail.com> + 99 others);
        Thu, 3 Jun 2021 09:57:04 -0400
Received: from mga07.intel.com ([134.134.136.100]:32352 "EHLO mga07.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229738AbhFCN5E (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Jun 2021 09:57:04 -0400
IronPort-SDR: fIc/hf6nHugKq0FiJhkuK6xEzI9Btozra7WnMZB9cEckJa5Z0R6q3p01poTt074ezC2cpCCXFJ
 2PixF+vV7pNw==
X-IronPort-AV: E=McAfee;i="6200,9189,10004"; a="267910102"
X-IronPort-AV: E=Sophos;i="5.83,246,1616482800"; 
   d="scan'208";a="267910102"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Jun 2021 06:55:09 -0700
IronPort-SDR: WSa7HuZNkrlwz34Gbfei5TXfLURTgD2GlmLyG8N/jgYZni0MyjUmN6cSa58+JEkd6TyCxYnzg9
 guBhNlSSzzuA==
X-IronPort-AV: E=Sophos;i="5.83,246,1616482800"; 
   d="scan'208";a="550698748"
Received: from akleen-mobl1.amr.corp.intel.com (HELO [10.209.7.237]) ([10.209.7.237])
  by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Jun 2021 06:55:09 -0700
Subject: Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
To:     Jason Wang <jasowang@redhat.com>, mst@redhat.com
Cc:     virtualization@lists.linux-foundation.org, hch@lst.de,
        m.szyprowski@samsung.com, robin.murphy@arm.com,
        iommu@lists.linux-foundation.org, x86@kernel.org,
        sathyanarayanan.kuppuswamy@linux.intel.com, jpoimboe@redhat.com,
        linux-kernel@vger.kernel.org
References: <20210603004133.4079390-1-ak@linux.intel.com>
 <20210603004133.4079390-2-ak@linux.intel.com>
 <28c8302b-6833-10b4-c0eb-67456e7c4069@redhat.com>
 <09e17c7f-ce51-1a46-72c4-12223bee4e3a@linux.intel.com>
 <1c08bc42-7448-351e-78bf-fcf68d2b2561@redhat.com>
 <5a2d0d70-fa6b-f08d-f222-5c00cf5f9d44@linux.intel.com>
 <9b10bb24-eb27-510e-cf0d-7818ab9166ef@redhat.com>
From:   Andi Kleen <ak@linux.intel.com>
Message-ID: <9d6bc785-9613-a2e8-f78f-4547747a331d@linux.intel.com>
Date:   Thu, 3 Jun 2021 06:55:08 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.2
MIME-Version: 1.0
In-Reply-To: <9b10bb24-eb27-510e-cf0d-7818ab9166ef@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


> Ok, but what I meant is this, if we don't read from the descriptor 
> ring, and validate all the other metadata supplied by the device (used 
> id and len). Then there should be no way for the device to suppress 
> the dma flags to write to the indirect descriptor table.
>
> Or do you have an example how it can do that?

I don't. If you can validate everything it's probably ok

The only drawback is even more code to audit and test.

-Andi