Re: [PATCH V4 05/18] iommu/ioasid: Redefine IOASID set and allocation APIs
From: Jacob Pan
Date: Wed Mar 31 2021 - 19:44:37 EST
Hi Jason,
On Wed, 31 Mar 2021 09:38:01 -0300, Jason Gunthorpe <jgg@xxxxxxxxxx> wrote:
> > > Get rid of the ioasid set.
> > >
> > > Each driver has its own list of allowed ioasids.
> [...]
>
> The /dev/ioasid FD replaces this security check. By becoming FD
> centric you don't need additional kernel security objects.
>
> Any process with access to the /dev/ioasid FD is allowed to control
> those PASID. The seperation between VMs falls naturally from the
> seperation of FDs without creating additional, complicated, security
> infrastrucure in the kernel.
>
> This is why all APIs must be FD focused, and you need to have a
> logical layering of responsibility.
>
> Allocate a /dev/ioasid FD
> Allocate PASIDs inside the FD
> Assign memory to the PASIDS
>
> Open a device FD, eg from VFIO or VDP
> Instruct the device FD to authorize the device to access PASID A in
> an ioasid FD
How do we know user provided PASID A was allocated by the ioasid FD?
Shouldn't we validate user input by tracking which PASIDs are allocated by
which ioasid FD? This is one reason why we have ioasid_set and its xarray.
> * Prior to being authorized the device will have NO access to any
> PASID
> * Presenting BOTH the device FD and the ioasid FD to the kernel
> is the security check. Any process with both FDs is allowed to
> make the connection. This is normal Unix FD centric thinking.
>
> > > Register a ioasid in the driver's list by passing the fd and ioasid #
> > >
> >
> > The fd here is a device fd. Am I right?
>
> It would be the vfio_device FD, for instance, and a VFIO IOCTL.
>
> > If yes, your idea is ioasid is allocated via /dev/ioasid and
> > associated with device fd via either VFIO or vDPA ioctl. right?
> > sorry I may be asking silly questions but really need to ensure we
> > are talking in the same page.
>
> Yes, this is right
>
> > > No listening to events. A simple understandable security model.
> >
> > For this suggestion, I have a little bit concern if we may have A-B/B-A
> > lock sequence issue since it requires the /dev/ioasid (if it supports)
> > to call back into VFIO/VDPA to check if the ioasid has been registered
> > to device FD and record it in the per-device list. right? Let's have
> > more discussion based on the skeleton sent by Kevin.
>
> Callbacks would be backwards.
>
> User calls vfio with vfio_device fd and dev/ioasid fd
>
> VFIO extracts some kernel representation of the ioasid from the ioasid
> fd using an API
>
This lookup API seems to be asking for per ioasid FD storage array. Today,
the ioasid_set is per mm and contains a Xarray. Since each VM, KVM can only
open one ioasid FD, this per FD array would be equivalent to the per mm
ioasid_set, right?
> VFIO does some kernel call to IOMMU/IOASID layer that says 'tell the
> IOMMU that this PCI device is allowed to use this PASID'
>
Would it be redundant to what iommu_uapi_sva_bind_gpasid() does? I thought
the idea is to use ioasid FD IOCTL to issue IOMMU uAPI calls. Or we can
skip this step for now and wait for the user to do SVA bind.
> VFIO mdev drivers then record that the PASID is allowed in its own
> device specific struct for later checking during other system calls.
Thanks,
Jacob