Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio

From: Jason Gunthorpe
Date: Tue Apr 20 2021 - 09:00:02 EST

Next message: Chris von Recklinghausen: "[PATCH 1/1 v10] x86/power use crc32 instead of md5 for hibernation e820 integrity check"
Previous message: David Hildenbrand: "Re: [PATCH v1 1/4] include/linux/mmzone.h: add documentation for pfn_valid()"
In reply to: liulongfang: "Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio"
Next in thread: liulongfang: "Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 20, 2021 at 08:50:12PM +0800, liulongfang wrote:
> On 2021/4/19 20:33, Jason Gunthorpe wrote:
> > On Mon, Apr 19, 2021 at 08:24:40PM +0800, liulongfang wrote:
> >
> >>> I'm also confused how this works securely at all, as a general rule a
> >>> VFIO PCI driver cannot access the MMIO memory of the function it is
> >>> planning to assign to the guest. There is a lot of danger that the
> >>> guest could access that MMIO space one way or another.
> >>
> >> VF's MMIO memory is divided into two parts, one is the guest part,
> >> and the other is the live migration part. They do not affect each other,
> >> so there is no security problem.
> >
> > AFAIK there are several scenarios where a guest can access this MMIO
> > memory using DMA even if it is not mapped into the guest for CPU
> > access.
> >
> The hardware divides VF's MMIO memory into two parts. The live migration
> driver in the host uses the live migration part, and the device driver in
> the guest uses the guest part. They obtain the address of VF's MMIO memory
> in their respective drivers, although these two parts The memory is
> continuous on the hardware device, but due to the needs of the drive function,
> they will not perform operations on another part of the memory, and the
> device hardware also independently responds to the operation commands of
> the two parts.

It doesn't matter, the memory is still under the same PCI BDF and VFIO
supports scenarios where devices in the same IOMMU group are not
isolated from each other.

This is why the granual of isolation is a PCI BDF - VFIO directly
blocks kernel drivers from attaching to PCI BDFs that are not
completely isolated from VFIO BDF.

Bypassing this prevention and attaching a kernel driver directly to
the same BDF being exposed to the guest breaks that isolation model.

> So, I still don't understand what the security risk you are talking about is,
> and what do you think the security design should look like?
> Can you elaborate on it?

Each security domain must have its own PCI BDF.

The migration control registers must be on a different VF from the VF
being plugged into a guest and the two VFs have to be in different
IOMMU groups to ensure they are isolated from each other.

Jason

Next message: Chris von Recklinghausen: "[PATCH 1/1 v10] x86/power use crc32 instead of md5 for hibernation e820 integrity check"
Previous message: David Hildenbrand: "Re: [PATCH v1 1/4] include/linux/mmzone.h: add documentation for pfn_valid()"
In reply to: liulongfang: "Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio"
Next in thread: liulongfang: "Re: [RFC PATCH 2/3] vfio/hisilicon: register the driver to vfio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]