Re: [PATCH V4 05/18] iommu/ioasid: Redefine IOASID set and allocation APIs

From: David Gibson
Date: Tue Jun 01 2021 - 02:36:28 EST


On Thu, May 27, 2021 at 03:48:47PM -0300, Jason Gunthorpe wrote:
> On Thu, May 27, 2021 at 02:58:30PM +1000, David Gibson wrote:
> > On Tue, May 25, 2021 at 04:52:57PM -0300, Jason Gunthorpe wrote:
> > > On Wed, May 26, 2021 at 12:56:30AM +0530, Kirti Wankhede wrote:
> > >
> > > > 2. iommu backed mdev devices for SRIOV where mdev device is created per
> > > > VF (mdev device == VF device) then that mdev device has same iommu
> > > > protection scope as VF associated to it.
> > >
> > > This doesn't require, and certainly shouldn't create, a fake group.
> >
> > It's only fake if you start with a narrow view of what a group is.
>
> A group is connected to drivers/iommu. A group object without *any*
> relation to drivers/iommu is just a complete fiction, IMHO.

That might be where we differ. As I've said, my group I'm primarily
meaning the fundamental hardware unit of isolation. *Usually* that's
determined by the capabilities of an IOMMU, but in some cases it might
not be. In either case, the boundaries still matter.

> > > Only the VF's real IOMMU group should be used to model an iommu domain
> > > linked to a VF. Injecting fake groups that are proxies for real groups
> > > only opens the possibility of security problems like David is
> > > concerned with.
> >
> > It's not a proxy for a real group, it's a group of its own. If you
> > discover that (due to a hardware bug, for example) the mdev is *not*
>
> What Kirti is talking about here is the case where a mdev is wrapped
> around a VF and the DMA isolation stems directly from the SRIOV VF's
> inherent DMA isolation, not anything the mdev wrapper did.
>
> The group providing the isolation is the VF's group.

Yes, in that case the mdev absolutely should be in the VF's group -
having its own group is not just messy but incorrect.

> The group mdev implicitly creates is just a fake proxy that comes
> along with mdev API. It doesn't do anything and it doesn't mean
> anything.

But.. the case of multiple mdevs managed by a single PCI device with
an internal IOMMU also exists, and then the mdev groups are *not*
proxies but true groups independent of the parent device. Which means
that the group structure of mdevs can vary, which is an argument *for*
keeping it, not against.

> > properly isolated from its parent PCI device, then both the mdev
> > virtual device *and* the physical PCI device are in the same group.
> > Groups including devices of different types and on different buses
> > were considered from the start, and are precedented, if rare.
>
> This is far too theoretical for me. A security broken mdev is
> functionally useless.

Is it, though? Again, I'm talking about the case of multiple mdevs
with a single parent device (because that's the only case I was aware
of until recently). Isolation comes from a device-internal
IOMMU... that turns out to be broken. But if your security domain
happens to include all the mdevs on the device anyway, then you don't
care.

Are you really going to say people can't use their fancy hardware in
this mode because it has a security flaw that's not relevant to their
usecase?


And then.. there's Kirti's case. In that case the mdev should belong
to its parent PCI device's group since that's what's providing
isolation. But in that case the parent device can be in a
multi-device group for any of the usual reasons (PCIe-to-PCI bridge,
PCIe switch with broken ACS, multifunction device with crosstalk).
Which means the mdev also shares a group with those other device. So
again, the group structure matters and is not a fiction.

> We don't need to support it, and we don't need complicated software to
> model it.
>
> Jason
>

--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson

Attachment: signature.asc
Description: PGP signature