RE: [PATCH] Enable SR-IOV instantiation through /sys file
From: Wang, Liang-min
Date: Tue Oct 31 2017 - 08:55:39 EST
> -----Original Message-----
> From: David Woodhouse [mailto:dwmw2@xxxxxxxxxxxxx]
> Sent: Monday, October 30, 2017 8:39 AM
> To: Christoph Hellwig <hch@xxxxxxxxxxxxx>; Duyck, Alexander H
> <alexander.h.duyck@xxxxxxxxx>
> Cc: Wang, Liang-min <liang-min.wang@xxxxxxxxx>;
> alex.williamson@xxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Kirsher, Jeffrey T
> <jeffrey.t.kirsher@xxxxxxxxx>; kvm@xxxxxxxxxxxxxxx; bhelgaas@xxxxxxxxxx;
> linux-pci@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH] Enable SR-IOV instantiation through /sys file
>
> On Sat, 2017-10-28 at 23:16 -0700, Christoph Hellwig wrote:
> > On Fri, Oct 27, 2017 at 11:20:41PM +0000, Duyck, Alexander H wrote:
> > >
> > > I don't see this so much as a security problem per-se. It all depends
> > > on the hardware setup. If I recall correctly, there are devices where
> > > the PF function doesn't really do much other than act as a bit more
> > > heavy-weight VF, and the actual logic is handled by a firmware engine
> > > on the device.
> >
> > Can you cite an example?ÂÂWhile those surely could exist in theory,
> > I can't think of a practical example.
>
> I have them, which is why I'm patching the UIO driver to allow num_vfs
> to be set. I don't even want to *use* the UIO driver for any purpose
> except to make that appear in sysfs. It's all handled in the device.
>
> (I think we might be able to just give the PF out to a guest as if it
> were just another VF, but I don't think we actually *do* that right
> now).
Under UEFI secure boot environment, kernel puts restrictions on UIO and its derivatives.
So, user-space function/driver based upon UIO is no longer working under UEFI secure
boot environment. The next viable option is vfio-pci, hence this patch in parallel with
UIO work.