From: Alex Williamson <alex.williamson@redhat.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Donald Dutile <ddutile@redhat.com>,
Bjorn Helgaas <bhelgaas@google.com>,
iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
linux-pci@vger.kernel.org, Robin Murphy <robin.murphy@arm.com>,
Will Deacon <will@kernel.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
galshalom@nvidia.com, Joerg Roedel <jroedel@suse.de>,
Kevin Tian <kevin.tian@intel.com>,
kvm@vger.kernel.org, maorg@nvidia.com, patches@lists.linux.dev,
tdave@nvidia.com, Tony Zhu <tony.zhu@intel.com>
Subject: Re: [PATCH 03/11] iommu: Compute iommu_groups properly for PCIe switches
Date: Tue, 23 Sep 2025 06:58:01 -0600 [thread overview]
Message-ID: <20250923065801.3c6a23e4.alex.williamson@redhat.com> (raw)
In-Reply-To: <20250923123218.GI1391379@nvidia.com>
On Tue, 23 Sep 2025 09:32:18 -0300
Jason Gunthorpe <jgg@nvidia.com> wrote:
> On Mon, Sep 22, 2025 at 08:50:27PM -0600, Alex Williamson wrote:
> > That's not what the spec is doing. We're misinterpreting it. The
> > sections of the spec you're quoting are saying that if a MFD function
> > supports ACS it must support this specific p2p set of capability and
> > control bits unless the device does not support internal p2p.
>
> Bjorn raised that too, but it doesn't actually say that. The wording
> is meaningfully different from the preceeding section that does
> explicitly say the language only applies if the ACS cap is present.
What then is a "Multi-Function Device ACS Function". I think we need
to take context from the parent and previous sections to understand
this applies to functions implementing the ACS extended capability.
> IMHO, from a spec perspective, prior to this language, internal MFD
> loopback was *undefined*.
>
> You are advocating for a very pessimistic position that undefined must
> mean the worst interpretation for everyone. It doesn't, undefined
> means we don't know.
Right, we don't know if p2p is implemented, we're implementing a
security related feature, therefore we assume the worst case and allow
for quirks in instances where the vendor can vouch that p2p is not
possible.
> A big part of the argument here is that in the modern world the HW
> community has aligned that MFDs should not have internal loopback
> because it harms virtualization.
>
> We are here a decade later and we can choose to require quirks on
> devices that choose to implement internal loopback, because they are
> certainly now the minority of HW.
This seems like optimistic speculation.
> > We've had NIC vendors implement an empty ACS capability to convey the
> > fact that the device does not support internal p2p. There is precedent
> > for the interpretation I'm describing.
>
> IMHO it just shows Linux has the power to convince device vendors to
> do things.
And now we're effectively punishing vendors that have gone to this
effort to expose isolation by hand waving that it should exist by now...
> > Are we going to expect users to opt-in to securing their system?
>
> Since the grouping isn't working right today we are already
> effectively doing this.
>
> All this is arguing that the burden shifts from people with modern
> systems to people with ancient systems.
AIUI there's a narrow case of downstream switch ports implemented as
separate slots that is misrepresented. This should be fixed. There's
also an effort here to consider both egress traffic (as done today) as
well as ingress traffic (new). IMO this will inevitably cause
regressions and users may need to opt-in to make their grouping less
secure for previous compatibility.
Requiring users to opt-in to secure their system is fundamentally
different from requiring users to opt-in to a reduced isolation
paradigm. Thanks,
Alex
next prev parent reply other threads:[~2025-09-23 12:58 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 22:28 [PATCH 00/11] Fix incorrect iommu_groups with PCIe switches Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 01/11] PCI: Move REQ_ACS_FLAGS into pci_regs.h as PCI_ACS_ISOLATED Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 02/11] PCI: Add pci_bus_isolation() Jason Gunthorpe
2025-07-01 19:28 ` Alex Williamson
2025-07-02 1:00 ` Jason Gunthorpe
2025-07-03 15:30 ` Jason Gunthorpe
2025-07-03 22:17 ` Alex Williamson
2025-07-03 23:08 ` Alex Williamson
2025-07-03 23:21 ` Jason Gunthorpe
2025-07-03 23:15 ` Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 03/11] iommu: Compute iommu_groups properly for PCIe switches Jason Gunthorpe
2025-07-01 19:29 ` Alex Williamson
2025-07-02 1:04 ` Jason Gunthorpe
2025-07-17 19:25 ` Donald Dutile
2025-07-17 20:27 ` Jason Gunthorpe
2025-07-18 2:31 ` Donald Dutile
2025-07-18 13:32 ` Jason Gunthorpe
2025-09-22 22:32 ` Alex Williamson
2025-09-22 23:15 ` Jason Gunthorpe
2025-09-23 0:51 ` Donald Dutile
2025-09-23 1:17 ` Alex Williamson
2025-09-23 1:10 ` Alex Williamson
2025-09-23 2:26 ` Donald Dutile
2025-09-23 2:50 ` Alex Williamson
2025-09-23 12:32 ` Jason Gunthorpe
2025-09-23 12:58 ` Alex Williamson [this message]
2025-09-23 13:03 ` Jason Gunthorpe
2025-09-23 21:29 ` Alex Williamson
2025-09-25 12:20 ` Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 04/11] iommu: Organize iommu_group by member size Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 05/11] PCI: Add pci_reachable_set() Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 06/11] iommu: Use pci_reachable_set() in pci_device_group() Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 07/11] iommu: Validate that pci_for_each_dma_alias() matches the groups Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 08/11] PCI: Add the ACS Enhanced Capability definitions Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 09/11] PCI: Enable ACS Enhanced bits for enable_acs and config_acs Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 10/11] PCI: Check ACS DSP/USP redirect bits in pci_enable_pasid() Jason Gunthorpe
2025-06-30 22:28 ` [PATCH 11/11] PCI: Check ACS Extended flags for pci_bus_isolated() Jason Gunthorpe
2025-07-01 21:48 ` [PATCH 00/11] Fix incorrect iommu_groups with PCIe switches Alex Williamson
2025-07-02 1:47 ` Jason Gunthorpe
2025-07-04 0:37 ` Jason Gunthorpe
2025-07-11 14:55 ` Alex Williamson
2025-07-11 16:08 ` Jason Gunthorpe
2025-07-08 20:47 ` Jason Gunthorpe
2025-07-11 15:40 ` Alex Williamson
2025-07-11 16:14 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250923065801.3c6a23e4.alex.williamson@redhat.com \
--to=alex.williamson@redhat.com \
--cc=baolu.lu@linux.intel.com \
--cc=bhelgaas@google.com \
--cc=ddutile@redhat.com \
--cc=galshalom@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=maorg@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=robin.murphy@arm.com \
--cc=tdave@nvidia.com \
--cc=tony.zhu@intel.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox