Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5124502pxj; Wed, 9 Jun 2021 09:39:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4RWjI+uNDSmjGpBASy4mOv9EOHmqjLdk6l8/KDlHGO17esbTXvhBa1dj25iBE/LBS08Em X-Received: by 2002:a17:907:2141:: with SMTP id rk1mr774967ejb.200.1623256786662; Wed, 09 Jun 2021 09:39:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623256786; cv=none; d=google.com; s=arc-20160816; b=N38oAFluxGN76bDx7XWCyas+nf0MhsiXbAuRFbPY5lrR8dNo0P3Liqu8k/B/KmvYyv e9+ChREX/P0HSE+1wWY4kGdRUrte7mzaFfmKt6ccAPtzy+l149K0y14Wz2Qlc6OGr8pp brn/PtxEEzDJXbo5w51dl6LsSKU2wGf7WIscv94RCErRj/Ar2Tty9U+3jkiDvKBurMHO 3luYySKoRou3+d7SLIAdsoFrJRzDt06iRSWp7CEAPP2FajvhhY5H9oLjzBKwUnhWcaZL 5qhr8+L4+jk0mhH5O3JKvngOD2T1vSKfk+5bXMUXcm5O7Eg68+pdsnm9DF31xjh0Rtrc URXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:dkim-signature; bh=SZmKOdk4Od3jn4SVquGsGKOyAGFLzN67LcgeiA2x0Kc=; b=Y1uI8UehVZpLF55paoJMMV3xEUxWNku7O+2zEWolLxQiD2eJ/LXzZZU6lduKZ6IKum oMcHlOQc0vMR627hexo5Ho7p8wL0TpwNnW/ldB7gUckyR7edcscz27W80YSsaBFpseUP I50Xd7W7dnCRi3qjKhOHgrQgrfDw+mvazNRUUUPvUwXYwNfWHFB//G4fxtafK8miVTPJ I0yTWPv/twxW+6vG7nCDarfuUkm1meOsW1/ymqSJNFEA4q7825XZqRJIX2WoxG8mFVnq dgWC73OVdvph7rOgw345K/yDWHwxz8FoEtHDcVdKGqqtQoiDFHFQCsT8w1+55reOwswX XEhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FZRYYkrv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g1si242099ejj.85.2021.06.09.09.39.22; Wed, 09 Jun 2021 09:39:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FZRYYkrv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233793AbhFIQ3Z (ORCPT + 99 others); Wed, 9 Jun 2021 12:29:25 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:42920 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233163AbhFIQ3Y (ORCPT ); Wed, 9 Jun 2021 12:29:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623256047; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SZmKOdk4Od3jn4SVquGsGKOyAGFLzN67LcgeiA2x0Kc=; b=FZRYYkrvtGyOy487abI61TT9J+0cV2t3c7ARwP7QrLx01opaQrh1ix64ucF+6nwdP/ab9e Dq1fjjmGfzc6dUO6mwPTXCbdd3MBmdNJ0mnppmw28bJ1jLpJJoltsetpHyUMLrQPJYt2vH R9HXj5EErhyp13pVn0zxbGv0SR4bb44= Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com [209.85.161.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-125-2O4ZbXovPPmOZluxnHwh3A-1; Wed, 09 Jun 2021 12:27:26 -0400 X-MC-Unique: 2O4ZbXovPPmOZluxnHwh3A-1 Received: by mail-oo1-f71.google.com with SMTP id f8-20020a4ab6480000b029023de979bd74so15845129ooo.7 for ; Wed, 09 Jun 2021 09:27:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version:content-transfer-encoding; bh=SZmKOdk4Od3jn4SVquGsGKOyAGFLzN67LcgeiA2x0Kc=; b=dF8glnBHHvj5CXNLD+1uHBNhv1euCkWtnbjJUYFSfRSNvYWEL6Cnw6qDXJcQIVv3KS 6BXEAHN4LawF7W6QXQQx9DltQlnlWI0PLcnuyHorFxK2ljo4tcBmL8xElY7rWACYQcw2 TqWqqGP1G4czJhMUrbohT6uzkSiZA8zifu+cRj/WTNG/K8dnP8m8VrB6GLIt5zUKhw1G /RHAJoQoX3+wq/0D8KtT0COKbGLMxQJrgnR2os1fC9aSPYUJM/n8T+4ymu6QRTM+oPCn VEhTTfD54FhiDCi9VlGxQTX30/jsbBImJJTVarFchFNP8PvqegDYUvt/id4YKCqvcrH9 u46g== X-Gm-Message-State: AOAM530eGOCTe9X4YS8pny1C6wpFkeEdyDBAG4ruHwMy2BJ5p52IUzOe YS4oxRtn5zWrg0VicShnV06w1lgj7Ax+/it+mEpN2oNmlRFYkjEhfZDegF8IDMlNbe7eUcv9G9M w5iH4xzT360O+mQW91oujh6jW X-Received: by 2002:a9d:644f:: with SMTP id m15mr203674otl.99.1623256045148; Wed, 09 Jun 2021 09:27:25 -0700 (PDT) X-Received: by 2002:a9d:644f:: with SMTP id m15mr203657otl.99.1623256044914; Wed, 09 Jun 2021 09:27:24 -0700 (PDT) Received: from redhat.com ([198.99.80.109]) by smtp.gmail.com with ESMTPSA id s28sm58975oij.12.2021.06.09.09.27.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Jun 2021 09:27:24 -0700 (PDT) Date: Wed, 9 Jun 2021 10:27:22 -0600 From: Alex Williamson To: Joerg Roedel Cc: Jason Gunthorpe , "Tian, Kevin" , Jean-Philippe Brucker , David Gibson , Jason Wang , "parav@mellanox.com" , "Enrico Weigelt, metux IT consult" , Paolo Bonzini , Shenming Lu , Eric Auger , Jonathan Corbet , "Raj, Ashok" , "Liu, Yi L" , "Wu, Hao" , "Jiang, Dave" , Jacob Pan , Kirti Wankhede , Robin Murphy , "kvm@vger.kernel.org" , "iommu@lists.linux-foundation.org" , David Woodhouse , LKML , Lu Baolu Subject: Re: Plan for /dev/ioasid RFC v2 Message-ID: <20210609102722.5abf62e1.alex.williamson@redhat.com> In-Reply-To: <20210609101532.452851eb.alex.williamson@redhat.com> References: <20210609123919.GA1002214@nvidia.com> <20210609150009.GE1002214@nvidia.com> <20210609101532.452851eb.alex.williamson@redhat.com> Organization: Red Hat X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 9 Jun 2021 10:15:32 -0600 Alex Williamson wrote: > On Wed, 9 Jun 2021 17:51:26 +0200 > Joerg Roedel wrote: > > > On Wed, Jun 09, 2021 at 12:00:09PM -0300, Jason Gunthorpe wrote: > > > Only *drivers* know what the actual device is going to do, devices do > > > not. Since the group doesn't have drivers it is the wrong layer to be > > > making choices about how to configure the IOMMU. > > > > Groups don't carry how to configure IOMMUs, that information is > > mostly in the IOMMU domains. And those (or an abstraction of them) is > > configured through /dev/ioasid. So not sure what you wanted to say with > > the above. > > > > All a group carries is information about which devices are not > > sufficiently isolated from each other and thus need to always be in the > > same domain. > > > > > The device centric approach is my attempt at this, and it is pretty > > > clean, I think. > > > > Clean, but still insecure. > > > > > All ACS does is prevent P2P operations, if you assign all the group > > > devices into the same /dev/iommu then you may not care about that > > > security isolation property. At the very least it is policy for user > > > to decide, not kernel. > > > > It is a kernel decision, because a fundamental task of the kernel is to > > ensure isolation between user-space tasks as good as it can. And if a > > device assigned to one task can interfer with a device of another task > > (e.g. by sending P2P messages), then the promise of isolation is broken. > > AIUI, the IOASID model will still enforce IOMMU groups, but it's not an > explicit part of the interface like it is for vfio. For example the > IOASID model allows attaching individual devices such that we have > granularity to create per device IOASIDs, but all devices within an > IOMMU group are required to be attached to an IOASID before they can be > used. It's not entirely clear to me yet how that last bit gets > implemented though, ie. what barrier is in place to prevent device > usage prior to reaching this viable state. > > > > Groups should be primarily about isolation security, not about IOASID > > > matching. > > > > That doesn't make any sense, what do you mean by 'IOASID matching'? > > One of the problems with the vfio interface use of groups is that we > conflate the IOMMU group for both isolation and granularity. I think > what Jason is referring to here is that we still want groups to be the > basis of isolation, but we don't want a uAPI that presumes all devices > within the group must use the same IOASID. For example, if a user owns > an IOMMU group consisting of non-isolated functions of a multi-function > device, they should be able to create a vIOMMU VM where each of those > functions has its own address space. That can't be done today, the > entire group would need to be attached to the VM under a PCIe-to-PCI > bridge to reflect the address space limitation imposed by the vfio > group uAPI model. Thanks, Hmm, likely discussed previously in these threads, but I can't come up with the argument that prevents us from making the BIND interface at the group level but the ATTACH interface at the device level? For example: - VFIO_GROUP_BIND_IOASID_FD - VFIO_DEVICE_ATTACH_IOASID AFAICT that makes the group ownership more explicit but still allows the device level IOASID granularity. Logically this is just an internal iommu_group_for_each_dev() in the BIND ioctl. Thanks, Alex