From: Jason Gunthorpe <jgg@nvidia.com>
To: Lukas Wunner <lukas@wunner.de>
Cc: Vidya Sagar <vidyas@nvidia.com>,
corbet@lwn.net, bhelgaas@google.com, galshalom@nvidia.com,
leonro@nvidia.com, treding@nvidia.com, jonathanh@nvidia.com,
mmoshrefjava@nvidia.com, shahafs@nvidia.com, vsethi@nvidia.com,
sdonthineni@nvidia.com, jan@nvidia.com, tdave@nvidia.com,
linux-doc@vger.kernel.org, linux-pci@vger.kernel.org,
linux-kernel@vger.kernel.org, kthota@nvidia.com,
mmaddireddy@nvidia.com, sagar.tv@gmail.com
Subject: Re: [PATCH V4] PCI: Extend ACS configurability
Date: Tue, 25 Jun 2024 13:39:18 -0300 [thread overview]
Message-ID: <20240625163918.GC2494510@nvidia.com> (raw)
In-Reply-To: <ZnrvmGBw-Ss-oOO6@wunner.de>
On Tue, Jun 25, 2024 at 06:26:00PM +0200, Lukas Wunner wrote:
> On Tue, Jun 25, 2024 at 09:01:50PM +0530, Vidya Sagar wrote:
> > Add a kernel command-line option 'config_acs' to directly control all the
> > ACS bits for specific devices, which allows the operator to setup the
> > right level of isolation to achieve the desired P2P configuration.
>
> An example wouldn't hurt, here and in kernel-parameters.txt.
>
>
> > ACS offers a range of security choices controlling how traffic is
> > allowed to go directly between two devices. Some popular choices:
> > - Full prevention
> > - Translated requests can be direct, with various options
> > - Asymmetric direct traffic, A can reach B but not the reverse
> > - All traffic can be direct
> > Along with some other less common ones for special topologies.
>
> I'm wondering whether it would make more sense to let users choose
> between those "higher-level" options, instead of giving direct access
> to bits (and thus risking users to choose an incorrect setting).
It doesn't seem like the kernel has enough information to do that, or
at least describing enough information in the command line would be
more complex than this.
> Also, would it be possible to automatically change ACS settings
> when enabling or disabling P2PDMA?
No, as the commit said the ACS settings are required at early boot
before iommu_groups are formed. They cannot be changed dynamically
with today's kernel.
> The representation chosen here (as a command line option) seems
> questionable:
>
> We're going to add more user-controllable options going forward.
> E.g., when introducing IDE, we'll have to let user space choose
> whether encryption should be enabled for certain PCIe devices.
> That's because encryption isn't for free, so can't be enabled
> opportunistically. (The number of crypto engines on a CPU is
> limited and enabling encryption consumes energy.)
But that isn't part of ACS, so what is wrong with having ACS its own
configurable and other PCI functions can do what is appropriate for
them?
I do encourage people to avoid using the kernel command line. ACS is
forced into that because of the iommu_group issue.
> What about exposing such user configurable settings with sysctl?
I think sysctl is mostly deprecated in favour of sysfs.
An ide file in the sysfs to control the IDE stuff makes alot of sense
to me.
Jason
next prev parent reply other threads:[~2024-06-25 16:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-21 11:09 [PATCH V2] PCI: Extend ACS configurability Vidya Sagar
2024-05-21 15:44 ` kernel test robot
2024-05-23 6:35 ` [PATCH V3] " Vidya Sagar
2024-05-23 14:59 ` Bjorn Helgaas
2024-05-23 15:16 ` Jason Gunthorpe
2024-06-03 7:50 ` Vidya Sagar
2024-06-07 19:30 ` Bjorn Helgaas
2024-06-10 11:38 ` Jason Gunthorpe
2024-06-12 21:29 ` Bjorn Helgaas
2024-06-12 23:23 ` Jason Gunthorpe
2024-06-13 22:05 ` Bjorn Helgaas
2024-06-13 23:36 ` Jason Gunthorpe
2024-06-13 22:38 ` Alex Williamson
2024-06-12 12:19 ` Jason Gunthorpe
2024-06-25 15:31 ` [PATCH V4] " Vidya Sagar
2024-06-25 16:26 ` Lukas Wunner
2024-06-25 16:39 ` Jason Gunthorpe [this message]
2024-06-26 6:02 ` Leon Romanovsky
2024-06-26 7:40 ` Tian, Kevin
2024-06-26 11:50 ` Jason Gunthorpe
2024-07-08 14:39 ` Jason Gunthorpe
2024-07-12 21:57 ` Bjorn Helgaas
2024-09-25 5:06 ` Jiri Slaby
2024-09-25 5:29 ` Jiri Slaby
2024-09-25 5:49 ` Jiri Slaby
2024-10-01 19:33 ` Jason Gunthorpe
2024-10-07 16:36 ` Steffen Dirkwinkel
2024-10-07 20:43 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240625163918.GC2494510@nvidia.com \
--to=jgg@nvidia.com \
--cc=bhelgaas@google.com \
--cc=corbet@lwn.net \
--cc=galshalom@nvidia.com \
--cc=jan@nvidia.com \
--cc=jonathanh@nvidia.com \
--cc=kthota@nvidia.com \
--cc=leonro@nvidia.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mmaddireddy@nvidia.com \
--cc=mmoshrefjava@nvidia.com \
--cc=sagar.tv@gmail.com \
--cc=sdonthineni@nvidia.com \
--cc=shahafs@nvidia.com \
--cc=tdave@nvidia.com \
--cc=treding@nvidia.com \
--cc=vidyas@nvidia.com \
--cc=vsethi@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).