RE: Plan for /dev/ioasid RFC v2

From: Tian, Kevin
Date: Mon Jun 14 2021 - 23:14:10 EST

Next message: Namhyung Kim: "[PATCH 3/3] perf stat: Enable BPF counter with --for-each-cgroup"
Previous message: Tian, Kevin: "RE: Plan for /dev/ioasid RFC v2"
In reply to: Jason Gunthorpe: "Re: Plan for /dev/ioasid RFC v2"
Next in thread: Alex Williamson: "Re: Plan for /dev/ioasid RFC v2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Alex Williamson <alex.williamson@xxxxxxxxxx>
> Sent: Tuesday, June 15, 2021 12:28 AM
>
[...]
> > IOASID. Today the group fd requires an IOASID before it hands out a
> > device_fd. With iommu_fd the device_fd will not allow IOCTLs until it
> > has a blocked DMA IOASID and is successefully joined to an iommu_fd.
>
> Which is the root of my concern. Who owns ioctls to the device fd?
> It's my understanding this is a vfio provided file descriptor and it's
> therefore vfio's responsibility. A device-level IOASID interface
> therefore requires that vfio manage the group aspect of device access.
> AFAICT, that means that device access can therefore only begin when all
> devices for a given group are attached to the IOASID and must halt for
> all devices in the group if any device is ever detached from an IOASID,
> even temporarily. That suggests a lot more oversight of the IOASIDs by
> vfio than I'd prefer.
>

This is possibly the point that is worthy of more clarification and
alignment, as it sounds like the root of controversy here.

I feel the goal of vfio group management is more about ownership, i.e.
all devices within a group must be assigned to a single user. Following
the three rules defined by Jason, what we really care is whether a group
of devices can be isolated from the rest of the world, i.e. no access to
memory/device outside of its security context and no access to its
security context from devices outside of this group. This can be achieved
as long as every device in the group is either in block-DMA state when
it's not attached to any security context or attached to an IOASID context
in IOMMU fd.

As long as group-level isolation is satisfied, how devices within a group
are further managed is decided by the user (unattached, all attached to
same IOASID, attached to different IOASIDs) as long as the user
understands the implication of lacking of isolation within the group. This
is what a device-centric model comes to play. Misconfiguration just hurts
the user itself.

If this rationale can be agreed, then I didn't see the point of having VFIO
to mandate all devices in the group must be attached/detached in
lockstep.

Thanks
Kevin

Next message: Namhyung Kim: "[PATCH 3/3] perf stat: Enable BPF counter with --for-each-cgroup"
Previous message: Tian, Kevin: "RE: Plan for /dev/ioasid RFC v2"
In reply to: Jason Gunthorpe: "Re: Plan for /dev/ioasid RFC v2"
Next in thread: Alex Williamson: "Re: Plan for /dev/ioasid RFC v2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]