From: Keith Busch <kbusch@kernel.org>
To: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Alex Mastro <amastro@fb.com>,
Alex Williamson <alex.williamson@redhat.com>,
Kevin Tian <kevin.tian@intel.com>,
Bjorn Helgaas <bhelgaas@google.com>,
David Reiss <dreiss@meta.com>, Joerg Roedel <joro@8bytes.org>,
Leon Romanovsky <leon@kernel.org>,
Li Zhe <lizhe.67@bytedance.com>,
Mahmoud Adam <mngyadam@amazon.de>,
Philipp Stanner <pstanner@redhat.com>,
Robin Murphy <robin.murphy@arm.com>,
Vivek Kasireddy <vivek.kasireddy@intel.com>,
Will Deacon <will@kernel.org>, Yunxiang Li <Yunxiang.Li@amd.com>,
linux-kernel@vger.kernel.org, iommu@lists.linux.dev,
kvm@vger.kernel.org
Subject: Re: [TECH TOPIC] vfio, iommufd: Enabling user space drivers to vend more granular access to client processes
Date: Thu, 18 Sep 2025 17:24:54 -0600 [thread overview]
Message-ID: <aMyUxqSEBHeHAPIn@kbusch-mbp> (raw)
In-Reply-To: <20250918225739.GS1326709@ziepe.ca>
On Thu, Sep 18, 2025 at 07:57:39PM -0300, Jason Gunthorpe wrote:
> On Thu, Sep 18, 2025 at 02:44:07PM -0700, Alex Mastro wrote:
>
> > We anticipate a growing need to provide more granular access to device resources
> > beyond what the kernel currently affords to user space drivers similar to our
> > model.
>
> I'm having a somewhat hard time wrapping my head around the security
> model that says your trust your related processes not use DMA in a way
> that is hostile their peers, but you don't trust them not to issue
> hostile ioctls..
I read this as more about having the granularity to automatically
release resources associated with a client process when it dies (as
mentioned below) rather than relying on the bootstrapping process to
manage it all. Not really about hostile ioctls, but that an ungraceful
ending of some client workload doesn't even send them.
> > - It would be nice if mappings created with the restricted IOMMU fd were
> > automatically freed when the underlying kernel object was freed (if the client
> > process were to exit ungracefully without explicitly performing unmap cleanup
> > after itself).
>
> Maybe the BPF could trigger an eventfd or something when the FD closes?
I wouldn't have considered a BPF dependency for this. I'll need to think
about that one for a moment.
next prev parent reply other threads:[~2025-09-18 23:24 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-18 21:44 [TECH TOPIC] vfio, iommufd: Enabling user space drivers to vend more granular access to client processes Alex Mastro
2025-09-18 22:57 ` Jason Gunthorpe
2025-09-18 23:24 ` Keith Busch [this message]
2025-09-19 7:00 ` Tian, Kevin
2025-09-19 11:58 ` Jason Gunthorpe
2025-09-22 9:14 ` Mostafa Saleh
2025-09-22 17:46 ` Alex Mastro
2025-09-22 17:51 ` Jason Gunthorpe
2025-09-19 11:56 ` Jason Gunthorpe
2025-09-19 15:57 ` Alex Williamson
2025-09-19 17:14 ` Alex Mastro
2025-09-19 16:13 ` Alex Mastro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aMyUxqSEBHeHAPIn@kbusch-mbp \
--to=kbusch@kernel.org \
--cc=Yunxiang.Li@amd.com \
--cc=alex.williamson@redhat.com \
--cc=amastro@fb.com \
--cc=bhelgaas@google.com \
--cc=dreiss@meta.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizhe.67@bytedance.com \
--cc=mngyadam@amazon.de \
--cc=pstanner@redhat.com \
--cc=robin.murphy@arm.com \
--cc=vivek.kasireddy@intel.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox