Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3920832pxb; Mon, 30 Aug 2021 14:04:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyMKOZpa1/H4ii+IrH7CNZx31QDSaVHCTTjMhPeMdaVIXulKU5zMcxjRFfVWI8VEc9ToJUp X-Received: by 2002:aa7:cc0b:: with SMTP id q11mr25724201edt.251.1630357442935; Mon, 30 Aug 2021 14:04:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630357442; cv=none; d=google.com; s=arc-20160816; b=KC12lprF+VBP6n+k3MAdLOm/W2qUkkMt576nCmtyM45B1nPqWNEFQddcPcWtZoBNn/ TudxgGUDHlzRbk/h3ZCeOUKP1O4RIL2bJDU9KqK1jaK9CDluwHnArsdkLbaJ4LTPGb3E lg1xHAx9Sn8FBJ/jf73/jTvGmxJ5PtzmkohTXBWFi7Qab4e7YmFOvm5bhBtwffo0iO+t mdx134Wx9UQfrgINIK/twMRqfTP0uDzQbnHgsSmSKn4PZ8lNEMdshujgrYy7uHzdQ7Az qvMzJKjaOett6rRf9wqzqSSqwOzB4WKAIRiBp6+/huZ+XvPbHEpWef3OInu+eFH5klru XOrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ZDgZoaGxuF8+VxsBt8mWUj6L6RMapnQD42kDmE3TNZQ=; b=OWboeGdHb3cUwT2hmZfy9j145Ks3X0KsnwNUXKxaF98O7ZnHdjQqay85ip5bIghv2n 24mxhG+H9GhhpMAVcWDfMVIBpmkXRjiMQaN93WLYan0CkT+rrwb1Pp8yFwzAWToCe0qN 8HsfYF4VQlMY6RYJBxvYp48GS+sCqNd6Gg37P1uyqa6h4T+SoJrkKiPgh3HVlk3Gj53k bmK6w2iA9j57WGAgwci0kNZ0LmQY1foHc90AsXvOmRpSjvtT2hgdwXweuCL2nfiUexX/ TzL8veGvKYPH9rNbH47KH9qPayK8yz5VoMMF0jsxc+ymA1YYRUghb2aNzoVzFsZN0IHC dSPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="GH03Om/4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k9si15637494edh.461.2021.08.30.14.03.37; Mon, 30 Aug 2021 14:04:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="GH03Om/4"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235412AbhH3VA4 (ORCPT + 99 others); Mon, 30 Aug 2021 17:00:56 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46670 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236056AbhH3VAy (ORCPT ); Mon, 30 Aug 2021 17:00:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630357199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZDgZoaGxuF8+VxsBt8mWUj6L6RMapnQD42kDmE3TNZQ=; b=GH03Om/445Kfh0spCpfgBXGkgopeKaJKIqsbbIqGNoDmAlnZTvAthA2tI2dz9Aq5cuTnHb S/4bNzDF2aRH+g5BXDAau4HDRE6CwBE5H4ZiUVX0kxknRtFixsmYk2gTkESXfR+1kQusEc NugrIp20O33foRVdV+QJ3G9RR3jW/9o= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-584-1KZ7eZtjPpmJHm4R-BtFEA-1; Mon, 30 Aug 2021 16:59:57 -0400 X-MC-Unique: 1KZ7eZtjPpmJHm4R-BtFEA-1 Received: by mail-wm1-f71.google.com with SMTP id m16-20020a7bca50000000b002ee5287d4bfso447337wml.7 for ; Mon, 30 Aug 2021 13:59:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=ZDgZoaGxuF8+VxsBt8mWUj6L6RMapnQD42kDmE3TNZQ=; b=D/ZWcYIgyt4xYbVTY4KIE15WIP+We/vQld08taCpmS5Na0X1kn2KBWCrslTDd/FZvN Qt9mRQpP4IOg1TQyny2LHotfxV8wentRV/guy6pJmn8eEXcgrQmjkmhR+TmTWXEBZXrG P4BN0dsogUu57++CmrsSoD2f/l0Nz6bm9kgEEm9SNEqEuSIoDTHIkXop77LKed6zzAEC kKz4KmfjW8dZ8QzSDGgbupFwQ21lYo9d9wq8XL2xYYkGXNxMNT26v78TN96RPpDQNCEY CYYlwTEmV8XoomSnGEf8dD9YWugZNF9I6MSPearuqZ+V5DVVvCTqSHSsjUHplFGbtks+ c6Gw== X-Gm-Message-State: AOAM531bnYlhyChD5MQ0PEKF2Nw3fXEhcu67WxCq92/kSpDucc5gQW8D RXGUSU8ZwM3jzVvJvAYJPnFDNH7InxyWwKvNs067T8ZS1U4i6WgiF5Y/wBSzMPhEwNgFtEy+gpy t+sNj+uVnRPs3P3EdTFM1wJu8 X-Received: by 2002:a1c:7f48:: with SMTP id a69mr887122wmd.166.1630357196518; Mon, 30 Aug 2021 13:59:56 -0700 (PDT) X-Received: by 2002:a1c:7f48:: with SMTP id a69mr887093wmd.166.1630357196296; Mon, 30 Aug 2021 13:59:56 -0700 (PDT) Received: from redhat.com ([2.55.138.60]) by smtp.gmail.com with ESMTPSA id z9sm12277068wre.11.2021.08.30.13.59.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Aug 2021 13:59:55 -0700 (PDT) Date: Mon, 30 Aug 2021 16:59:50 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Cc: Dan Williams , "Kuppuswamy, Sathyanarayanan" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Peter Zijlstra , Andy Lutomirski , Bjorn Helgaas , Richard Henderson , Thomas Bogendoerfer , James E J Bottomley , Helge Deller , "David S . Miller" , Arnd Bergmann , Jonathan Corbet , Peter H Anvin , Dave Hansen , Tony Luck , Kirill Shutemov , Sean Christopherson , Kuppuswamy Sathyanarayanan , X86 ML , Linux Kernel Mailing List , Linux PCI , linux-alpha@vger.kernel.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, sparclinux@vger.kernel.org, linux-arch , Linux Doc Mailing List , virtualization@lists.linux-foundation.org Subject: Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} Message-ID: <20210830163723-mutt-send-email-mst@kernel.org> References: <20210823195409-mutt-send-email-mst@kernel.org> <26a3cce5-ddf7-cbe6-a41e-58a2aea48f78@linux.intel.com> <20210824053830-mutt-send-email-mst@kernel.org> <20210829112105-mutt-send-email-mst@kernel.org> <09b340dd-c8a8-689c-4dad-4fe0e36d39ae@linux.intel.com> <20210829181635-mutt-send-email-mst@kernel.org> <3a88a255-a528-b00a-912b-e71198d5f58f@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3a88a255-a528-b00a-912b-e71198d5f58f@linux.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Aug 29, 2021 at 10:11:46PM -0700, Andi Kleen wrote: > > On 8/29/2021 3:26 PM, Michael S. Tsirkin wrote: > > On Sun, Aug 29, 2021 at 09:17:53AM -0700, Andi Kleen wrote: > > > Also I changing this single call really that bad? It's not that we changing > > > anything drastic here, just give the low level subsystem a better hint about > > > the intention. If you don't like the function name, could make it an > > > argument instead? > > My point however is that the API should say that the > > driver has been audited, > > We have that status in the struct device. If you want to tie the ioremap to > that we could define a ioremap_device() with a device argument and decide > based on that. But it's not the device that is audited. And it's not the device that might be secure or insecure. It's the driver. > Or we can add _audited to the name. ioremap_shared_audited? But it's not the mapping that has to be done in handled special way. It's any data we get from device, not all of it coming from IO, e.g. there's DMA and interrupts that all have to be validated. Wouldn't you say that what is really wanted is just not running unaudited drivers in the first place? > > > not that the mapping has been > > done in some special way. For example the mapping can be > > in some kind of wrapper, not directly in the driver. > > However you want the driver validated, not the wrapper. > > > > Here's an idea: > > > I don't think magic differences of API behavior based on some define are a > good idea.? That's easy to miss. Well ... my point is that actually there is no difference in API behaviour. the map is the same map, exactly same data goes to device. If anything any non-shared map is special in that encrypted data goes to device. > > That's a "COME FROM" in API design. > > Also it wouldn't handle the case that a driver has both private and shared > ioremaps, e.g. for BIOS structures. Hmm. Interesting. It's bios maps that are unusual and need to be private though ... > And we've been avoiding that drivers can self declare auditing, we've been > trying to have a separate centralized list so that it's easier to enforce > and avoids any cut'n'paste mistakes. > > -Andi Now I'm confused. What is proposed here seems to be basically that, drivers need to declare auditing by replacing ioremap with ioremap_shared. -- MST