Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices

From: Baolu Lu
Date: Wed Apr 24 2024 - 10:18:12 EST

Next message: Uwe Kleine-König: "Re: [PATCH v2 2/2] pwm: meson: Add check for error from clk_round_rate()"
Previous message: Benjamin Tissoires: "Re: [PATCH 3/3] HID: bpf: lazy load the hid_tail_call entrypoint"
In reply to: Baolu Lu: "Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices"
Next in thread: Jason Gunthorpe: "Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024/4/24 21:04, Jason Gunthorpe wrote:

OK, so after all that you do in fact agree? In that case, why are we still
mucking about proposing hacks on top of hacks in the AMD driver rather than
just fixing the regression sensibly?

It is because your proposal is regressing the meaning of
def_domain_type back to a policy knob when I've spent a bunch of work
emptying out def_domain type implementations to get it into a
capability report.

def_domain_type is now about*capability*. Does the
HW/SW/Driver/system support PAGING/IDENTITY or not.

Meaning if def_domain_type says it is not supported then the core code
should not use it. This is how everything was working until AMD
changed their driver to lie about what their attach_domain would
accept.

I do not want to see def_domain_type regress back to being confused
where some drivers are policy advice and some drivers are capability!

AMD should hack their driver for the rc fix and then go and fix it
properly to remove the PASID logic entirely from def_domain_type. I
will also point again out that in v6.9-rc AMD doesn't even support
PASID yet so this abuse of def_domain_type isn't even needed. 🙁

The core code should contiue to treat def_domain_type as capability.

I agree with this. Ideally there should be some mechanism to disallow
any device driver to bind to the device if there's a conflict between
the core policy and iommu hw capability because iommu-dma functionality
is already compromised.

If we all agree with the statement that "the core should treat
def_domain_type as capability", the intel iommu driver needs some
enhancement as well.

For example, the intel iommu driver allows users to opt-in graphic in
passthrough mode, in that case def_domain_type will return
IOMMU_DOMAIN_IDENTITY no matter the device is trusted or not.

if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev))
return IOMMU_DOMAIN_IDENTITY;

this potentially creates same conflict as the amd driver.

Best regards,
baolu

Next message: Uwe Kleine-König: "Re: [PATCH v2 2/2] pwm: meson: Add check for error from clk_round_rate()"
Previous message: Benjamin Tissoires: "Re: [PATCH 3/3] HID: bpf: lazy load the hid_tail_call entrypoint"
In reply to: Baolu Lu: "Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices"
Next in thread: Jason Gunthorpe: "Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]