Re: [PATCH] iommu: Include MSI susceptibility to DMA in creatingiommu groups

[Chris Wright]

* Joerg Roedel (joerg.roedel@xxxxxxx) wrote:
> On Mon, Nov 21, 2011 at 03:35:05PM -0800, Chris Wright wrote:
> 
> > What is the value of a group w/out complete isolation?
> 
> There is still isolation for DMA. This may be sufficient for non-KVM
> use-cases like a device driver partially implemented in userspace. There
> is no no guest then that can attack the host with wrong interrupts.

There is a userspace process that could though.  I think I'm missing
the distinction.  In either case there is unprivileged code that could
program the hw to generate PCI write transactions that negatively effect
the system.

> > Is there a practical problem w/ conflating the subtleties above?
> 
> Same argument as above. It ties the the iommu_group interface to the KVM
> use case.

I don't agree that it's the KVM use case.  It's the unprivileged code
owning a device use case.  The promise of SR-IOV + IOMMU + PASID shows
hw is trying to go there.

> Another more pratical impact of this patch is that a reboot is
> required to re-enable iommu-groups. When the check happens in VFIO it is
> a simple module-reload.

I suppose, however iommu itself is managed via kernel cmdline and
reboot...

I guess we agree that we need to be able to give the user some way of
managing the risk they're willing to take, and just not on where the
flag should go?

thanks,
-chris
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/