Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3517997pxj; Mon, 7 Jun 2021 12:45:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTjj6kfl7iTbTXo/ymLUNNWG4ZindO/xorzbLuoAl3dx2D0WFJPd4tbS9RBAqhf7ySKZp3 X-Received: by 2002:a17:907:9607:: with SMTP id gb7mr19519367ejc.208.1623095154328; Mon, 07 Jun 2021 12:45:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623095154; cv=none; d=google.com; s=arc-20160816; b=l5xRXlaW3GXWfnWmKAJci8Ut3KbYDXlboBc69apLIy0TVTVThstybeI18DV3+1jZYa BI1LfVJiZrftFVTFS39mS4ToSGSDPFvpEoKLWpwc6zIK5Z9xVj4Og4mYcD21pxH+Ruw9 Pb7mdxpUcdywgjvun/OFsJ7PjI/PSxSa/o5exeV8APvlHsXP7y8Pgs+t2f+P6CsiVtUP dKOBpaxNP6AEC9taj6sdKnc6SFSibfQBgeEhZTPfkq2gYl/UffVi+JWGnDdjLDso4mOk y/94GvYETd5aBxzrf4xRUzSx6yyS2RIZy/1SaL1/vk9RN+J6/g7K+l4lVFPsFL0yK6gY CnOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=ktL5nWqTPLu4372fp6dA+Wp9VnIRyo2M4rsP7gUhK4E=; b=byZEeJioLSEHoA4FOKZLvv56XGePyLCfJ1Dz0KJp1qeKg8Cnj2HkIwwmMVKpWRZIT7 d111hV9xkvZ63d7OaIUnx+VwZI+5fqY4g3OKUuySo9lT1QJ5jZmA4E53fLY6K2XWmowx OZ8Bw8gpQCZzOYwoKRygfUJED20CfWczdNvZg3t6sWFmSRtFdA8TEc5zfATieMwLUczJ lq7B7PY+EkQDphKvlEeCRHEPGtuQ6rFWddCZtlX7BxkmMBhLiw7535Q5YVAH6u29Ldoo joSCDiL2NDruYvH1/j7jt1bl0xWfAwN31/HLRy0emTuroXEIVR8W9uqPqa8FQ5b2GZUb no7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EVk2TVFC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h21si11855256ejt.172.2021.06.07.12.45.30; Mon, 07 Jun 2021 12:45:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EVk2TVFC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231503AbhFGTn2 (ORCPT + 99 others); Mon, 7 Jun 2021 15:43:28 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:21038 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231569AbhFGTnY (ORCPT ); Mon, 7 Jun 2021 15:43:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623094893; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ktL5nWqTPLu4372fp6dA+Wp9VnIRyo2M4rsP7gUhK4E=; b=EVk2TVFCGDkipQQlqkRYZWUnj7in/jGtPpzJiDYylQ39c/nutF0BcpH8V8rZIHwEGz2JbT 5Aw7z69Zf0UIS5aAnOsx4OdcaNqTh/9zQ8hUYFc3g+XqoXeCtkgHNfbGwLqmnbaWIhRwZM Iz46Svi5x3g7FDXvD6j1qpop0biPaeI= Received: from mail-ot1-f72.google.com (mail-ot1-f72.google.com [209.85.210.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-508-XSNH4H0sOYywdQY4hIDm-Q-1; Mon, 07 Jun 2021 15:41:30 -0400 X-MC-Unique: XSNH4H0sOYywdQY4hIDm-Q-1 Received: by mail-ot1-f72.google.com with SMTP id x2-20020a9d62820000b02902e4ff743c4cso12228113otk.8 for ; Mon, 07 Jun 2021 12:41:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ktL5nWqTPLu4372fp6dA+Wp9VnIRyo2M4rsP7gUhK4E=; b=eRBD/Ge4ULu6Eye/zDx7uqIzHE4HoHFddGjMzLIOplWHG5Z0cIeDgxZ5+T8gY82rw2 /mcoZp9QKP0LL7fODZoRoLBk+VOaRNxTJl4Zffh18Sgq97xXU2YY19cVLksoVy4lEb5Q +vc6/oZE4/zUopGrHoR61NvKYDPimirIyOSNXPGzrgbDCLPjD3J1Yc5AqtsiwtjHwZ0A /xt/0klfnqSmHn6tlKW7CxY5HFBrspmUQNGNvFpjnE9FTmC8D6/VCAnPwJ4tW6BnF4qe rfW24bcgktEmRHWZdqdBhZXq4hUfm8fDo3YIMCcOJkWGR3iM7xTxlbBUqS7imrMv1yhs pHRw== X-Gm-Message-State: AOAM533J1RDm2lvZrNE5NvNQp0dAMpXRMi2M+H5F14DTJibXS8hzth1W iG02Kcm3Gp479EVVG8ENafPirfy/8e9n7ohAR8//BxqHAZqn+mL5nimLbU5lfTy6wLsDuzXSbrO 1t+4MMGjNfptB8R09uHk8vDH6 X-Received: by 2002:aca:3102:: with SMTP id x2mr537469oix.1.1623094890138; Mon, 07 Jun 2021 12:41:30 -0700 (PDT) X-Received: by 2002:aca:3102:: with SMTP id x2mr537457oix.1.1623094889890; Mon, 07 Jun 2021 12:41:29 -0700 (PDT) Received: from redhat.com ([198.99.80.109]) by smtp.gmail.com with ESMTPSA id r83sm2421065oih.48.2021.06.07.12.41.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Jun 2021 12:41:29 -0700 (PDT) Date: Mon, 7 Jun 2021 13:41:28 -0600 From: Alex Williamson To: Jason Gunthorpe Cc: Paolo Bonzini , "Tian, Kevin" , Jean-Philippe Brucker , "Jiang, Dave" , "Raj, Ashok" , "kvm@vger.kernel.org" , Jonathan Corbet , Robin Murphy , LKML , "iommu@lists.linux-foundation.org" , David Gibson , Kirti Wankhede , David Woodhouse , Jason Wang Subject: Re: [RFC] /dev/ioasid uAPI proposal Message-ID: <20210607134128.58c2ea31.alex.williamson@redhat.com> In-Reply-To: <20210607190802.GO1002214@nvidia.com> References: <20210604155016.GR1002214@nvidia.com> <30e5c597-b31c-56de-c75e-950c91947d8f@redhat.com> <20210604160336.GA414156@nvidia.com> <2c62b5c7-582a-c710-0436-4ac5e8fd8b39@redhat.com> <20210604172207.GT1002214@nvidia.com> <20210604152918.57d0d369.alex.williamson@redhat.com> <20210604230108.GB1002214@nvidia.com> <20210607094148.7e2341fc.alex.williamson@redhat.com> <20210607181858.GM1002214@nvidia.com> <20210607125946.056aafa2.alex.williamson@redhat.com> <20210607190802.GO1002214@nvidia.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 7 Jun 2021 16:08:02 -0300 Jason Gunthorpe wrote: > On Mon, Jun 07, 2021 at 12:59:46PM -0600, Alex Williamson wrote: > > > > It is up to qemu if it wants to proceed or not. There is no issue with > > > allowing the use of no-snoop and blocking wbinvd, other than some > > > drivers may malfunction. If the user is certain they don't have > > > malfunctioning drivers then no issue to go ahead. > > > > A driver that knows how to use the device in a coherent way can > > certainly proceed, but I suspect that's not something we can ask of > > QEMU. QEMU has no visibility to the in-use driver and sketchy ability > > to virtualize the no-snoop enable bit to prevent non-coherent DMA from > > the device. There might be an experimental ("x-" prefixed) QEMU device > > option to allow user override, but QEMU should disallow the possibility > > of malfunctioning drivers by default. If we have devices that probe as > > supporting no-snoop, but actually can't generate such traffic, we might > > need a quirk list somewhere. > > Compatibility is important, but when I look in the kernel code I see > very few places that call wbinvd(). Basically all DRM for something > relavent to qemu. > > That tells me that the vast majority of PCI devices do not generate > no-snoop traffic. Unfortunately, even just looking at devices across a couple laptops most devices do support and have NoSnoop+ set by default. I don't notice anything in the kernel that actually tries to set this enable (a handful that actively disable), so I assume it's done by the firmware. It's not safe for QEMU to make an assumption that only GPUs will actually make use of it. > > > I think it makes the software design much simpler if the security > > > check is very simple. Possessing a suitable device in an ioasid fd > > > container is enough to flip on the feature and we don't need to track > > > changes from that point on. We don't need to revoke wbinvd if the > > > ioasid fd changes, for instance. Better to keep the kernel very simple > > > in this regard. > > > > You're suggesting that a user isn't forced to give up wbinvd emulation > > if they lose access to their device? > > Sure, why do we need to be stricter? It is the same logic I gave > earlier, once an attacker process has access to wbinvd an attacker can > just keep its access indefinitely. > > The main use case for revokation assumes that qemu would be > compromised after a device is hot-unplugged and you want to block off > wbinvd. But I have a hard time seeing that as useful enough to justify > all the complicated code to do it... It's currently just a matter of the kvm-vfio device holding a reference to the group so that it cannot be used elsewhere so long as it's being used to elevate privileges on a given KVM instance. If we conclude that access to a device with the right capability is required to gain a privilege, I don't really see how we can wave aside that the privilege isn't lost with the device. > For KVM qemu can turn on/off on hot plug events as it requires to give > VM security. It doesn't need to rely on the kernel to control this. Yes, QEMU can reject a hot-unplug event, but then QEMU retains the privilege that the device grants it. Releasing the device and retaining the privileged gained by it seems wrong. Thanks, Alex