Re: [RFC v2] /dev/iommu uAPI proposal
From: Jason Gunthorpe
Date: Tue Jul 13 2021 - 12:32:55 EST
On Tue, Jul 13, 2021 at 10:26:07AM -0600, Alex Williamson wrote:
> Quoting this proposal again:
>
> > 1) A successful binding call for the first device in the group creates
> > the security context for the entire group, by:
> >
> > * Verifying group viability in a similar way as VFIO does;
> >
> > * Calling IOMMU-API to move the group into a block-dma state,
> > which makes all devices in the group attached to an block-dma
> > domain with an empty I/O page table;
> >
> > VFIO should not allow the user to mmap the MMIO bar of the bound
> > device until the binding call succeeds.
>
> The attach step is irrelevant to my question, the bind step is where
> the device/group gets into a secure state for device access.
Binding is similar to attach, it will need to indicate the drivers
intention and a SW driver will not attach to the PCI device underneath
it.
> AIUI the operation of VFIO_DEVICE_BIND_IOMMU_FD looks like this:
>
> iommu_ctx = iommu_ctx_fdget(iommu_fd);
>
> mdev = mdev_from_dev(vdev->dev);
> dev = mdev ? mdev_parent_dev(mdev) : vdev->dev;
>
> iommu_dev = iommu_register_device(iommu_ctx, dev, cookie);
A default of binding to vdev->dev might turn out to be OK, but this
needs to be an overridable op in vfio_device and the SW mdevs will
have to do some 'iommu_register_sw_device()' and not pass in a dev at
all.
Jason