From: Robin Murphy <robin.murphy-5wv7dgnIgG8@public.gmane.org>
To: Sinan Kaya <okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
Alex Williamson
<alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Vikram Sethi <vikrams-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
Linux PCI <linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Will Deacon <will.deacon-5wv7dgnIgG8@public.gmane.org>,
iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Bjorn Helgaas <bhelgaas-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
nd-5wv7dgnIgG8@public.gmane.org
Subject: Re: RFC on No ACS Support and SMMUv3 Support
Date: Tue, 14 Feb 2017 12:10:27 +0000 [thread overview]
Message-ID: <56c15010-c009-81e5-95d3-a6f50469223e@arm.com> (raw)
In-Reply-To: <546869d0-d05c-9550-86d5-276bc7a3c284-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
On 14/02/17 01:54, Sinan Kaya wrote:
> On 2/13/2017 8:46 PM, Alex Williamson wrote:
>>> My first goal is to support virtual function passthrough for device's that are directly
>>> connected. This will be possible with the quirk I proposed and it will be the most
>>> secure solution. It can certainly be generalized for other systems.
>> Why is this anything more than a quirk for the affected PCIe root port
>> vendor:device IDs and use of pci_device_group() to evaluate the rest of
>> the topology, as appears is already done? Clearly a blanket exception
>> for the platform wouldn't necessarily be correct if a user could plugin
>> a device that adds a PCIe switch.
>
> I was going to go this direction first. I wanted to check with everybody to see
> if there are other/better alternatives possible via either changing
> pci_device_group or changing the smmuv3 driver.
I second Alex's opinion here. The SMMU driver is absolutely not the
appropriate place to address this - it's a PCI issue that needs to be
solved in the PCI domain. To flip things around, regardless of VFIO,
overriding group allocation may just plain break some devices - if you
plug in, say, some USB 2.0 card with an OHCI/EHCI pair on two different
functions, assigning them to different groups such that they get
different domains and can't hand off valid DMA addresses to each other
is liable to go downhill very quickly.
Robin.
>>> My second goal is extend the code such that ACS validation is up to the customer via
>>> pci=noacs kernel command line for instance. This will let the customer choose what he
>>> really wants rather than kernel trying to be smart and protective. By passing pci=noacs
>>> parameter, customer acknowledges the risks this command line carries.
>> Be prepared that this will need to taint the kernel since we make
>> assertions with drivers like vfio to provide secure, isolated user
>> access to devices and we can't make that statement if the user has
>> bypassed ACS enforcement. There is absolutely no way that such an
>> option would not be severely abused. In fact, I tried adding such an
>> option with the pcie_acs_override= patch[1], Bjorn rejected it and I'm
>> thankful that he did. I don't think this is a good idea, sometimes the
>> kernel does need to be smarter than the user to protect them from
>> themselves. Any easy bypass also lets hardware vendors ignore the
>> issue longer. Thanks,
>
> Bjorn, any inputs?
>
>>
>> Alex
>>
>> [1] https://lkml.org/lkml/2013/5/30/513
>>
>
>
(apologies if a disclaimer appears below; SMTP problems...)
next prev parent reply other threads:[~2017-02-14 12:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 22:24 RFC on No ACS Support and SMMUv3 Support Sinan Kaya
2017-02-13 23:06 ` Alex Williamson
[not found] ` <20170213160652.7c141eb1-1yVPhWWZRC1BDLzU/O5InQ@public.gmane.org>
2017-02-14 0:14 ` Sinan Kaya
2017-02-14 1:46 ` Alex Williamson
[not found] ` <20170213184643.2d2bdce7-1yVPhWWZRC1BDLzU/O5InQ@public.gmane.org>
2017-02-14 1:54 ` Sinan Kaya
2017-02-14 9:45 ` Will Deacon
[not found] ` <546869d0-d05c-9550-86d5-276bc7a3c284-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
2017-02-14 12:10 ` Robin Murphy [this message]
2017-02-14 12:36 ` Will Deacon
[not found] ` <20170214123605.GA25144-5wv7dgnIgG8@public.gmane.org>
2017-02-14 13:53 ` Sinan Kaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56c15010-c009-81e5-95d3-a6f50469223e@arm.com \
--to=robin.murphy-5wv7dgnigg8@public.gmane.org \
--cc=alex.williamson-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=bhelgaas-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-pci-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=nd-5wv7dgnIgG8@public.gmane.org \
--cc=okaya-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=vikrams-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=will.deacon-5wv7dgnIgG8@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox