Re: [RFC PATCH 05/13] iommufd: Serialise persisted iommufds and ioas

From: David Woodhouse
Date: Mon Oct 07 2024 - 04:48:13 EST


On Mon, 2024-10-07 at 08:39 +0000, Gowans, James wrote:
>
> I think we have two other possible approaches here:
>
> 1. What this RFC is sketching out, serialising fields from the structs
> and setting those fields again on deserialise. As you point out this
> will be complicated.
>
> 2. Get userspace to do the work: userspace needs to re-do the ioctls
> after kexec to reconstruct the objects. My main issue with this approach
> is that the kernel needs to do some sort of trust but verify approach to
> ensure that userspace constructs everything the same way after kexec as
> it was before kexec. We don't want to end up in a state where the
> iommufd objects don't match the persisted page tables.

To what extent does the kernel really need to trust or verify? At LPC
we seemed to speak of a model where userspace builds a "new" address
space for each device and then atomically switches to the new page
tables instead of the original ones inherited from the previous kernel.

That does involve having space for another set of page tables, of
course, but that's not impossible.

> 3. Serialise and reply the ioctls. Ioctl APIs and payloads should
> (must?) be stable across kernel versions. If IOMMUFD records the ioctls
> executed by userspace then it could replay them as part of deserialise
> and give userspace a handle to the resulting objects after kexec. This
> way we are guaranteed consistent iommufd / IOAS objects. By "consistent"
> I mean they are the same as before kexec and match the persisted page
> tables. By having the kernel do this it means it doesn't need to depend
> on userspace doing the correct thing.
>
> What do you think of this 3rd approach? I can try to sketch it out and
> send another RFC if you think it sounds reasonable.

Attachment: smime.p7s
Description: S/MIME cryptographic signature