From: Jason Gunthorpe <jgg@nvidia.com>
To: Eric Auger <eric.auger@redhat.com>
Cc: eric.auger.pro@gmail.com, yi.l.liu@intel.com, yi.y.sun@intel.com,
alex.williamson@redhat.com, clg@redhat.com,
qemu-devel@nongnu.org, david@gibson.dropbear.id.au,
thuth@redhat.com, farman@linux.ibm.com, mjrosato@linux.ibm.com,
akrowiak@linux.ibm.com, pasic@linux.ibm.com,
jjherne@linux.ibm.com, jasowang@redhat.com, kvm@vger.kernel.org,
nicolinc@nvidia.com, kevin.tian@intel.com, chao.p.peng@intel.com,
peterx@redhat.com, shameerali.kolothum.thodi@huawei.com,
zhangfei.gao@linaro.org, berrange@redhat.com, apopple@nvidia.com,
suravee.suthikulpanit@amd.com
Subject: Re: [RFC v3 18/18] vfio/as: Allow the selection of a given iommu backend
Date: Fri, 3 Feb 2023 14:01:27 -0400 [thread overview]
Message-ID: <Y91L9+suOHM804wk@nvidia.com> (raw)
In-Reply-To: <3ddad294-69f7-3067-1420-e1438cf017cb@redhat.com>
On Fri, Feb 03, 2023 at 06:57:02PM +0100, Eric Auger wrote:
> Hi Jason,
>
> On 2/3/23 13:51, Jason Gunthorpe wrote:
> > On Tue, Jan 31, 2023 at 09:53:05PM +0100, Eric Auger wrote:
> >> Now we support two types of iommu backends, let's add the capability
> >> to select one of them. This depends on whether an iommufd object has
> >> been linked with the vfio-pci device:
> >>
> >> if the user wants to use the legacy backend, it shall not
> >> link the vfio-pci device with any iommufd object:
> >>
> >> -device vfio-pci,host=0000:02:00.0
> >>
> >> This is called the legacy mode/backend.
> >>
> >> If the user wants to use the iommufd backend (/dev/iommu) it
> >> shall pass an iommufd object id in the vfio-pci device options:
> >>
> >> -object iommufd,id=iommufd0
> >> -device vfio-pci,host=0000:02:00.0,iommufd=iommufd0
> >>
> >> Note the /dev/iommu device may have been pre-opened by a
> >> management tool such as libvirt. This mode is no more considered
> >> for the legacy backend. So let's remove the "TODO" comment.
> > The vfio cdev should also be pre-openable like iommufd?
>
> where does the requirement come from?
I would expect it helps sandbox security.
We couldn't do this with the original VFIO model, but now we can have
libvirt open the vfio with privilege and FD pass it to qemu.
This way qemu never needs to have privilege to open a VFIO or iommu
cdev node.
Jason
next prev parent reply other threads:[~2023-02-03 18:01 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-31 20:52 [RFC v3 00/18] vfio: Adopt iommufd Eric Auger
2023-01-31 20:52 ` [RFC v3 01/18] scripts/update-linux-headers: Add iommufd.h Eric Auger
2023-01-31 20:52 ` [RFC v3 02/18] linux-headers: Import vfio.h and iommufd.h Eric Auger
2023-01-31 20:52 ` [RFC v3 03/18] vfio/common: Move IOMMU agnostic helpers to a separate file Eric Auger
2023-01-31 20:52 ` [RFC v3 04/18] vfio/common: Introduce vfio_container_add|del_section_window() Eric Auger
2023-01-31 20:52 ` [RFC v3 05/18] vfio/common: Move legacy VFIO backend code into separate container.c Eric Auger
2023-01-31 20:52 ` [RFC v3 06/18] vfio/common: Rename into as.c Eric Auger
2023-01-31 20:52 ` [RFC v3 07/18] vfio: Add base container Eric Auger
2023-01-31 20:52 ` [RFC v3 08/18] vfio/container: Introduce vfio_[attach/detach]_device Eric Auger
2023-01-31 20:52 ` [RFC v3 09/18] vfio/platform: Use vfio_[attach/detach]_device Eric Auger
2023-01-31 20:52 ` [RFC v3 10/18] vfio/ap: " Eric Auger
2023-01-31 20:52 ` [RFC v3 11/18] vfio/ccw: " Eric Auger
2023-03-03 17:30 ` Matthew Rosato
2023-03-08 10:56 ` Eric Auger
2023-01-31 20:52 ` [RFC v3 12/18] vfio/container-base: Introduce [attach/detach]_device container callbacks Eric Auger
2023-01-31 20:53 ` [RFC v3 13/18] vfio/container-base: Introduce VFIOContainer reset callback Eric Auger
2023-01-31 20:53 ` [RFC v3 14/18] backends/iommufd: Introduce the iommufd object Eric Auger
2023-02-15 23:48 ` Nicolin Chen
2023-02-16 7:58 ` Eric Auger
2023-01-31 20:53 ` [RFC v3 15/18] util/char_dev: Add open_cdev() Eric Auger
2023-01-31 20:53 ` [RFC v3 16/18] vfio/iommufd: Implement the iommufd backend Eric Auger
2023-01-31 23:30 ` Jason Gunthorpe
2023-02-01 15:42 ` Eric Auger
2023-01-31 20:53 ` [RFC v3 17/18] vfio/iommufd: Add IOAS_COPY_DMA support Eric Auger
2023-01-31 20:53 ` [RFC v3 18/18] vfio/as: Allow the selection of a given iommu backend Eric Auger
2023-02-03 12:51 ` Jason Gunthorpe
2023-02-03 17:57 ` Eric Auger
2023-02-03 18:01 ` Jason Gunthorpe [this message]
2023-02-03 12:57 ` [RFC v3 00/18] vfio: Adopt iommufd Jason Gunthorpe
2023-02-03 18:03 ` Eric Auger
2023-02-03 18:07 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y91L9+suOHM804wk@nvidia.com \
--to=jgg@nvidia.com \
--cc=akrowiak@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=apopple@nvidia.com \
--cc=berrange@redhat.com \
--cc=chao.p.peng@intel.com \
--cc=clg@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=eric.auger.pro@gmail.com \
--cc=eric.auger@redhat.com \
--cc=farman@linux.ibm.com \
--cc=jasowang@redhat.com \
--cc=jjherne@linux.ibm.com \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=mjrosato@linux.ibm.com \
--cc=nicolinc@nvidia.com \
--cc=pasic@linux.ibm.com \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=thuth@redhat.com \
--cc=yi.l.liu@intel.com \
--cc=yi.y.sun@intel.com \
--cc=zhangfei.gao@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).