RE: [RFC 3/7] iommufd: Add iommufd_device_bind_pasid()

From: Tian, Kevin
Date: Wed Nov 08 2023 - 03:46:47 EST

Next message: Ankur Arora: "Re: [RFC PATCH 45/86] preempt: ARCH_NO_PREEMPT only preempts lazily"
Previous message: Guan-Yu Lin: "Re: [PATCH] rpm: pm: enable PM_RPM_EXCEPTION config flag"
In reply to: Yi Liu: "Re: [RFC 3/7] iommufd: Add iommufd_device_bind_pasid()"
Next in thread: Yi Liu: "Re: [RFC 3/7] iommufd: Add iommufd_device_bind_pasid()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Liu, Yi L <yi.l.liu@xxxxxxxxx>
> Sent: Wednesday, November 8, 2023 3:45 PM
>
> On 2023/10/10 16:19, Tian, Kevin wrote:
> >> From: Liu, Yi L <yi.l.liu@xxxxxxxxx>
> >> Sent: Monday, October 9, 2023 4:51 PM
> >>
> >> +struct iommufd_device *iommufd_device_bind_pasid(struct
> iommufd_ctx
> >> *ictx,
> >> + struct device *dev,
> >> + u32 pasid, u32 *id)
> >> +{
> >> + struct iommufd_device *idev;
> >> + int rc;
> >> +
> >> + /*
> >> + * iommufd always sets IOMMU_CACHE because we offer no way for
> >> userspace
> >> + * to restore cache coherency.
> >> + */
> >> + if (!device_iommu_capable(dev, IOMMU_CAP_CACHE_COHERENCY))
> >> + return ERR_PTR(-EINVAL);
> >> +
> >> + /*
> >> + * No iommu supports pasid-granular msi message today. Here we
> >> + * just check whether the parent device can do safe interrupts.
> >> + * Isolation between virtual devices within the parent device
> >> + * relies on the parent driver to enforce.
> >> + */
> >> + if (!iommufd_selftest_is_mock_dev(dev) &&
> >> + !msi_device_has_isolated_msi(dev)) {
> >> + rc = iommufd_allow_unsafe_interrupts(dev);
> >> + if (rc)
> >> + return ERR_PTR(rc);
> >> + }
> >> +
> >
> > Only MemWr w/o pasid can be interpreted as an interrupt message
> > then we need msi isolation to protect.
>
> yes.
>
> >
> > But for SIOV all MemWr's are tagged with a pasid hence can never
> > trigger an interrupt. From this angle looks this check is unnecessary.
>
> But the interrupts out from a SIOV virtual device do not have pasid (at
> least today). Seems still need a check here if we consider this bind for
> a SIOV virtual device just like binding a physical device.
>

this check assumes the device is trusted. as long as there is no way
for malicious guest to generate arbitrary interrupt messages then
it's fine.

for physical device a MemWr can be interpreted as interrupt so
we need msi isolation.

for SIOV all MemWr has pasid then we don't have such worry.
IMS is under host's control so interrupt messages are already
sanitized.

Next message: Ankur Arora: "Re: [RFC PATCH 45/86] preempt: ARCH_NO_PREEMPT only preempts lazily"
Previous message: Guan-Yu Lin: "Re: [PATCH] rpm: pm: enable PM_RPM_EXCEPTION config flag"
In reply to: Yi Liu: "Re: [RFC 3/7] iommufd: Add iommufd_device_bind_pasid()"
Next in thread: Yi Liu: "Re: [RFC 3/7] iommufd: Add iommufd_device_bind_pasid()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]