Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5186914pxj; Wed, 9 Jun 2021 11:09:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYW57PMvz5Dk3CEQ8oyuC/JGl2zPoG44CaXMJU7FrBQe59MiqV+SyLnCmMDBE27Df21CN/ X-Received: by 2002:a05:6402:14d5:: with SMTP id f21mr684180edx.307.1623262171476; Wed, 09 Jun 2021 11:09:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623262171; cv=none; d=google.com; s=arc-20160816; b=ptwSc4TpQ4k287gBTYR+unNpkroptJHezr7qQY8pF5HSD+JGjsFT/Jt5nVxR1Z29NW vslW5ptAdfYWlxDvBBsAjjYkyqZobrPUF/QLN9OQ8RC/rNMH0U7o9Ac9nvGGpq7VdyJX 9s45GLXbb3tB+TILtiLpar1OOyia6KZjCUA7qfx936cUDfK1TtQo7R5Rd5WzFfZ+X0nU i/hP7qXs2/FU8IQLht/qlOqI8XKhuTeVgu53Ijavg09Yx+EgGABZmSMO89PuMC2pauVg N3jtHLFz5twmTOyUkzmz5nAGMtq32eeiW2scNaCYvlBwIafxFjYA3+3y+6IPV+N0hZNg vk7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=mlSWxF+1JVxKMka9xCv8Nz/OAuGQmpna1bJaALGEGfU=; b=z6Vjbm+Yd4WyGPW9hkbphjI25D6mrlDTg7ES9GAs8U+uXPypzZHzvdhJIdNLnO0Br+ 495JFIe0KTMFy5YdN9cNvS036dSHzeyFcbcrS8UypwFSvA58aQ1bAFJULNDlmgvTLcqO a4DNhZHB3uAAOZEV2EC2TBpXT4OxSLDZMHy3QufM8VBvJa2q6bE8GuzCdSc1peZpIWUU 5vvo+TFM5HsERibHt3PP6+Ax28kSyd4pdUxtgtwOLIkpwyhTG8rtczRyHWMEmfazd+0c lfrO+TgCniLI4CMEPXulium/4kNEiwTGoBemN3zdwC3V0YhVA792VrEob32KNqh9WgfD PY/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cf10si296847edb.247.2021.06.09.11.09.06; Wed, 09 Jun 2021 11:09:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=8bytes.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237198AbhFIPxY (ORCPT + 99 others); Wed, 9 Jun 2021 11:53:24 -0400 Received: from 8bytes.org ([81.169.241.247]:43546 "EHLO theia.8bytes.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237156AbhFIPxX (ORCPT ); Wed, 9 Jun 2021 11:53:23 -0400 Received: by theia.8bytes.org (Postfix, from userid 1000) id 9B3CD434; Wed, 9 Jun 2021 17:51:27 +0200 (CEST) Date: Wed, 9 Jun 2021 17:51:26 +0200 From: Joerg Roedel To: Jason Gunthorpe Cc: "Tian, Kevin" , "Alex Williamson (alex.williamson@redhat.com)" , Jean-Philippe Brucker , David Gibson , Jason Wang , "parav@mellanox.com" , "Enrico Weigelt, metux IT consult" , Paolo Bonzini , Shenming Lu , Eric Auger , Jonathan Corbet , "Raj, Ashok" , "Liu, Yi L" , "Wu, Hao" , "Jiang, Dave" , Jacob Pan , Kirti Wankhede , Robin Murphy , "kvm@vger.kernel.org" , "iommu@lists.linux-foundation.org" , David Woodhouse , LKML , Lu Baolu Subject: Re: Plan for /dev/ioasid RFC v2 Message-ID: References: <20210609123919.GA1002214@nvidia.com> <20210609150009.GE1002214@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210609150009.GE1002214@nvidia.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 09, 2021 at 12:00:09PM -0300, Jason Gunthorpe wrote: > Only *drivers* know what the actual device is going to do, devices do > not. Since the group doesn't have drivers it is the wrong layer to be > making choices about how to configure the IOMMU. Groups don't carry how to configure IOMMUs, that information is mostly in the IOMMU domains. And those (or an abstraction of them) is configured through /dev/ioasid. So not sure what you wanted to say with the above. All a group carries is information about which devices are not sufficiently isolated from each other and thus need to always be in the same domain. > The device centric approach is my attempt at this, and it is pretty > clean, I think. Clean, but still insecure. > All ACS does is prevent P2P operations, if you assign all the group > devices into the same /dev/iommu then you may not care about that > security isolation property. At the very least it is policy for user > to decide, not kernel. It is a kernel decision, because a fundamental task of the kernel is to ensure isolation between user-space tasks as good as it can. And if a device assigned to one task can interfer with a device of another task (e.g. by sending P2P messages), then the promise of isolation is broken. > Groups should be primarily about isolation security, not about IOASID > matching. That doesn't make any sense, what do you mean by 'IOASID matching'? > Blocking this forever in the new uAPI just because group = IOASID is > some historical convenience makes no sense to me. I think it is safe to assume that devices supporting PASID will most often be the only ones in their group. But for the non-PASID IOASID use-cases like plain old device assignment to a VM it needs to be group-centric. Regards, Joerg