Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1489780pxj; Sat, 12 Jun 2021 10:02:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyp8NsI48pSRQqz1WY+JMyMVkJrx24Pkm8+RUTi3vp2JyAKe8yf1Guh3jnBWoTTmunHkh4A X-Received: by 2002:a05:6402:4414:: with SMTP id y20mr9391210eda.130.1623517374212; Sat, 12 Jun 2021 10:02:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623517374; cv=none; d=google.com; s=arc-20160816; b=lbouk6FXDvhQNkTFzxGi7HA2Y/sXWgTZAG/WLwLZHy4J5WizfG1VRHbClKs8BaNroq TsVpMZGJoHA59RTfsNK0Cw3rnReEPOMH7i0F5vm/Lp2dXvQh3OQeIW6H54plgmekL7rJ rZeXG6+bAo+8QYU+MFncYHPL8bBC/np8H870Z2FJjgN2XFwTH5XxNF7uTO5l/3j+4Yb1 LZUWqT2A4QL+KpUTGo8mU/WwTdRNPVtrhFcZ6u7lVOq/tbIrd9WgIOZCAZRvrIaA3OlX q2QdVwMQrRDe0XqZJpNlq3HupTWNEgFI2e4zrRQ72BufCL36nacX7GawpkvhscwTMstC mcng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:dkim-signature; bh=shhxkeyT6sH5lJV4f12+U24GPPhn47S3juDgxTTkERI=; b=Xn6iAoUDVgUfGtTRpwWUWgv2R9HG2hvlFXI6DH1ZJBOCCw4WXJMok3hLuVlmuv6S4j 5Z8mt3iLQMjzc8sbXnWRoD8ney6K35sx33El7XXnIlnrEvng1cTw4593o5qH9w8OYx9i nTpJtCbzDMfFW+GROw+R8Mlbtp0hSwoKOosmo+eJlqSfl0GClzUVtSSAnGPjHRMf9VG3 I6QDGMRgpYBdyvfAyuYlwjGVKur2Lgdnqp0bOWpKkRKqZx4Gwn9sNrDW8+7oSk3Dtp3E PLTorMwe7IesWiPXG0Vcy2KdQ7tyLxrKWKFaUijlThG5A/vV2tnyOEgrUeghmqgYmSVq iWKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aoatqcD4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jg29si7215735ejc.268.2021.06.12.10.02.19; Sat, 12 Jun 2021 10:02:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aoatqcD4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231450AbhFLQ7S (ORCPT + 99 others); Sat, 12 Jun 2021 12:59:18 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:49578 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231309AbhFLQ7S (ORCPT ); Sat, 12 Jun 2021 12:59:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623517037; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=shhxkeyT6sH5lJV4f12+U24GPPhn47S3juDgxTTkERI=; b=aoatqcD4IDqiQcGVyVmhTcM+WDiodee0qJYFOG7Rv5p8ecN/eVoyGesLMnuMmaOLOQ55dU sZPwopSQ+Ee4oCUVWv+ZRyiTOyCj8AEg2eB32r+pEH9/e+yBbQRoVk/KcAeBqe4RczRerD 9B16zWSewqfq/LOKc64/DevlaFE2b/Q= Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com [209.85.167.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-478-8nJgJsjMNjSCUmB1uAj5-g-1; Sat, 12 Jun 2021 12:57:16 -0400 X-MC-Unique: 8nJgJsjMNjSCUmB1uAj5-g-1 Received: by mail-oi1-f200.google.com with SMTP id o10-20020a0568080bcab02901f44e2256b9so3795979oik.0 for ; Sat, 12 Jun 2021 09:57:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version:content-transfer-encoding; bh=shhxkeyT6sH5lJV4f12+U24GPPhn47S3juDgxTTkERI=; b=otInhRoN3hRKum7/ArMIArdmEx6fU98nSEOxSLuZZDKpkwdp9WxGuDFdqFQsgkNqfT jPsXotTHIu1DfSvRBqPAGI64NYqGx43cyOyNupGFzG2Y1lTEsBGAIzdz27X24cbs20gI eqDcyuBoYLrujCFVlUEPXlmTVOyCyVo4hJ8Uonasu5j5fkwPsoZgykx/fBRyEX2/D+eK oyvjO5GIqWw9aD3I7wQzNZIvD5ZkRukRe2Dvslhm0UvI/OAHiA0tAwWFOWREf4mT1vR/ Ue32Q1xvo2wbmYuYxR6rpfVjB2UI99eGA+EFdj/gulczgElE0Fc1ox/tlFGK2AasyA5b TL3A== X-Gm-Message-State: AOAM531nI5fQmWmCfOMjyiE7igkJti/eSagbnzP2DFEbBF6Xxog5HK05 zDv7uE9/iw5++Z2rBtkWMZllJReKABJbhYdEiZs6oSf7TGmvMuMrQ8RXWBpJGsH5jvoKlmwkwIa IBYUrRauLIVfYP5On6gN9CUZm X-Received: by 2002:a9d:7a55:: with SMTP id z21mr7445181otm.207.1623517035264; Sat, 12 Jun 2021 09:57:15 -0700 (PDT) X-Received: by 2002:a9d:7a55:: with SMTP id z21mr7445167otm.207.1623517034995; Sat, 12 Jun 2021 09:57:14 -0700 (PDT) Received: from redhat.com ([198.99.80.109]) by smtp.gmail.com with ESMTPSA id z5sm441638oth.6.2021.06.12.09.57.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Jun 2021 09:57:14 -0700 (PDT) Date: Sat, 12 Jun 2021 10:57:11 -0600 From: Alex Williamson To: Jason Gunthorpe Cc: Joerg Roedel , "Tian, Kevin" , Jean-Philippe Brucker , David Gibson , Jason Wang , "parav@mellanox.com" , "Enrico Weigelt, metux IT consult" , Paolo Bonzini , Shenming Lu , Eric Auger , Jonathan Corbet , "Raj, Ashok" , "Liu, Yi L" , "Wu, Hao" , "Jiang, Dave" , Jacob Pan , Kirti Wankhede , Robin Murphy , "kvm@vger.kernel.org" , "iommu@lists.linux-foundation.org" , David Woodhouse , LKML , Lu Baolu Subject: Re: Plan for /dev/ioasid RFC v2 Message-ID: <20210612105711.7ac68c83.alex.williamson@redhat.com> In-Reply-To: <20210612012846.GC1002214@nvidia.com> References: <20210609123919.GA1002214@nvidia.com> <20210609150009.GE1002214@nvidia.com> <20210609101532.452851eb.alex.williamson@redhat.com> <20210609102722.5abf62e1.alex.williamson@redhat.com> <20210609184940.GH1002214@nvidia.com> <20210610093842.6b9a4e5b.alex.williamson@redhat.com> <20210611164529.GR1002214@nvidia.com> <20210611133828.6c6e8b29.alex.williamson@redhat.com> <20210612012846.GC1002214@nvidia.com> Organization: Red Hat X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 11 Jun 2021 22:28:46 -0300 Jason Gunthorpe wrote: > On Fri, Jun 11, 2021 at 01:38:28PM -0600, Alex Williamson wrote: > > > That's fine for a serial port, but not a device that can do DMA. > > The entire point of vfio is to try to provide secure, DMA capable > > userspace drivers. If we relax enforcement of that isolation we've > > failed. > > I don't understand why the IOASID matters at all in this. Can you > explain? What is the breach of isolation? I think we're arguing past each other again. VFIO does not care one iota how userspace configures IOASID domains for devices. OTOH, VFIO must be absolutely obsessed that the devices we're providing userspace access to are isolated and continue to be isolated for the extent of that access. Given that we define that a group is the smallest set of devices that can be isolated, that means that for a device to be isolated, the group needs to be isolated. VFIO currently has a contract with the IOMMU backend that a group is attached to an IOMMU context (container) and from that point forward, all devices within that group are known to be isolated. I'm trying to figure out how a device based interface to the IOASID can provide that same contract or whether VFIO needs to be able to monitor the IOASID attachments of the devices in a group to control whether device access is secure. As I outlined to Kevin, I think it makes a lot of sense to maintain a group interface to the IOASID where registering a group signifies a hand-off of responsibility to the IOASIDfd that it is responsible for the isolation of those devices. From there we can determine the value of exposing VFIO device fds directly and whether any of the VFIO interfaces for attaching devices to IOASIDs make sense versus switching to the IOASIDfd at that point. Otherwise, for a device centric VFIO/IOASID model, I need to understand exactly when and how VFIO can know that it's safe to provide access to a device and how the IOASID model guarantees the ongoing safety of that access, which must encompass the safety relative to the entire group. For example, is it VFIO's job to BIND every device in the group? Does binding the device represent the point at which the IOASID takes responsibility for the isolation of the device? If instead it's the ATTACH of a device that provides the isolation, how is VFIO supposed to handle device access across a group when one device is DETACH'd by the user? If ATTACH is the point where isolation is guaranteed, can a DETACH occur through the IOASIDfd rather than the VFIOfd? It seems like the IOASIDfd is going to need ways to manipulate device:IOASID mappings outside of VFIO, so again I wonder if we should switch to an IOASID uAPI at that point rather than using VFIO. Thanks, Alex