Re: [PATCH v4 3/7] s390: zcrypt: driver callback to indicate resource in use

[Tony Krowiak]

On 6/27/19 3:25 AM, Cornelia Huck wrote:
> On Wed, 26 Jun 2019 17:13:50 -0400
> Tony Krowiak <akrowiak@xxxxxxxxxxxxx> wrote:
>
> > On 6/19/19 9:04 AM, Tony Krowiak wrote:
> > > On 6/18/19 12:25 PM, Cornelia Huck wrote:
> > > > On Thu, 13 Jun 2019 15:39:36 -0400
> > > > Tony Krowiak <akrowiak@xxxxxxxxxxxxx> wrote:
> > > >   
> > > > > Introduces a new driver callback to prevent a root user from unbinding
> > > > > an AP queue from its device driver if the queue is in use. This prevents
> > > > > a root user from inadvertently taking a queue away from a guest and
> > > > > giving it to the host, or vice versa. The callback will be invoked
> > > > > whenever a change to the AP bus's apmask or aqmask sysfs interfaces may
> > > > > result in one or more AP queues being removed from its driver. If the
> > > > > callback responds in the affirmative for any driver queried, the change
> > > > > to the apmask or aqmask will be rejected with a device in use error.
> > > > >
> > > > > For this patch, only non-default drivers will be queried. Currently,
> > > > > there is only one non-default driver, the vfio_ap device driver. The
> > > > > vfio_ap device driver manages AP queues passed through to one or more
> > > > > guests and we don't want to unexpectedly take AP resources away from
> > > > > guests which are most likely independently administered.
> > > > >
> > > > > Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxx>
> > > > > ---
> > > > >  Â drivers/s390/crypto/ap_bus.c | 138
> > > > > +++++++++++++++++++++++++++++++++++++++++--
> > > > >  Â drivers/s390/crypto/ap_bus.h |ÂÂ 3 +
> > > > >  Â 2 files changed, 135 insertions(+), 6 deletions(-)
> > > >
> > > > Hm... I recall objecting to this patch before, fearing that it makes it
> > > > possible for a bad actor to hog resources that can't be removed by
> > > > root, even forcefully. (I have not had time to look at the intervening
> > > > versions, so I might be missing something.)
> > > >
> > > > Is there a way for root to forcefully override this?
> > >
> > > You recall correctly; however, after many internal crypto team
> > > discussions, it was decided that this feature was important
> > > and should be kept.
> > >
> > > Allow me to first address your fear that a bad actor can hog
> > > resources that can't be removed by root. With this enhancement,
> > > there is nothing preventing a root user from taking resources
> > > from a matrix mdev, it simply forces him/her to follow the
> > > proper procedure. The resources to be removed must first be
> > > unassigned from the matrix mdev to which they are assigned.
> > > The AP bus's /sys/bus/ap/apmask and /sys/bus/ap/aqmask
> > > sysfs attributes can then be edited to transfer ownership
> > > of the resources to zcrypt.
> > >
> > > The rationale for keeping this feature is:
> > >
> > > * It is a bad idea to steal an adapter in use from a guest. In the worst
> > >   Â case, the guest could end up without access to any crypto adapters
> > >   Â without knowing why. This could lead to performance issues on guests
> > >   Â that rely heavily on crypto such as guests used for blockchain
> > >   Â transactions.
> > >
> > > * There are plenty of examples in linux of the kernel preventing a root
> > >   Â user from performing a task. For example, a module can't be removed
> > >   Â if references are still held for it. Another example would be trying
> > >   Â to bind a CEX4 adapter to a device driver not registered for CEX4;
> > >   Â this action will also be rejected.
> > >
> > > * The semantics are much cleaner and the logic is far less complicated.
> > >
> > > * It forces the use of the proper procedure to change ownership of AP
> > >   Â queues.
> > >   
> >
> > Any feedback on this?
>
> Had not yet time to look at this, sorry.

No problem, just wanted to make sure it didn't get lost in the shuffle.

> > Tony K
> >
> > >    
> > > >   
> > >