Re: [RFC] /dev/ioasid uAPI proposal

From: Jason Gunthorpe
Date: Tue Jun 08 2021 - 15:11:48 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 120/137] btrfs: fix error handling in btrfs_del_csums"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 118/137] powerpc/kprobes: Fix validation of prefixed instructions across page boundary"
In reply to: Alex Williamson: "Re: [RFC] /dev/ioasid uAPI proposal"
Next in thread: Enrico Weigelt, metux IT consult: "Re: [RFC] /dev/ioasid uAPI proposal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 08, 2021 at 12:47:00PM -0600, Alex Williamson wrote:
> On Tue, 8 Jun 2021 15:44:26 +0200
> Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote:
>
> > On 08/06/21 15:15, Jason Gunthorpe wrote:
> > > On Tue, Jun 08, 2021 at 09:56:09AM +0200, Paolo Bonzini wrote:
> > >
> > >>>> Alternatively you can add a KVM_DEV_IOASID_{ADD,DEL} pair of ioctls. But it
> > >>>> seems useless complication compared to just using what we have now, at least
> > >>>> while VMs only use IOASIDs via VFIO.
> > >>>
> > >>> The simplest is KVM_ENABLE_WBINVD(<fd security proof>) and be done
> > >>> with it.
>
> Even if we were to relax wbinvd access to any device (capable of
> no-snoop or not) in any IOMMU configuration (blocking no-snoop or not),
> I think as soon as we say "proof" is required to gain this access then
> that proof should be ongoing for the life of the access.

This idea is not entirely consistent with the usual Unix access
control model..

Eg I can do open() on a file and I get to keep that FD. I get to keep
that FD even if someone later does chmod() on that file so I can't
open it again.

There are lots of examples where a one time access control check
provides continuing access to a resource. I feel the ongoing proof is
the rarity in Unix.. 'revoke' is an uncommon concept in Unix..

That said, I don't feel strongly either way, would just like to see
something implementatbale. Even the various options to change the
feature are more thought explorations to try to understand how to
model the feature than any requirements I am aware of.

> notifier to indicate an end of that authorization. I don't think we
> can simplify that out of the equation or we've essentially invalidated
> that the proof is really required.

The proof is like the chown in the above open() example. Once kvm is
authorized it keeps working even if a new authorization could not be
obtained. It is not very different from chmod'ing a file after
something opened it.

Inablity to revoke doesn't invalidate the value of the initial
one-time access control check.

Generally agree on the rest of your message

Regards,
Jason

Next message: Greg Kroah-Hartman: "[PATCH 5.10 120/137] btrfs: fix error handling in btrfs_del_csums"
Previous message: Greg Kroah-Hartman: "[PATCH 5.10 118/137] powerpc/kprobes: Fix validation of prefixed instructions across page boundary"
In reply to: Alex Williamson: "Re: [RFC] /dev/ioasid uAPI proposal"
Next in thread: Enrico Weigelt, metux IT consult: "Re: [RFC] /dev/ioasid uAPI proposal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]