From: Marc Zyngier <maz@kernel.org>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>,
Alex Williamson <alex.williamson@redhat.com>,
Lu Baolu <baolu.lu@linux.intel.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Cornelia Huck <cohuck@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
Kevin Tian <kevin.tian@intel.com>,
kvm@vger.kernel.org, linux-s390@vger.kernel.org,
Robin Murphy <robin.murphy@arm.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Sven Schnelle <svens@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
Bharat Bhushan <bharat.bhushan@nxp.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Eric Auger <eric.auger@redhat.com>,
Eric Farman <farman@linux.ibm.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Matthew Rosato <mjrosato@linux.ibm.com>,
Tomasz Nowicki <tomasz.nowicki@caviumnetworks.com>,
Will Deacon <will.deacon@arm.com>
Subject: Re: [PATCH iommufd 1/9] irq: Add msi_device_has_secure_msi()
Date: Fri, 09 Dec 2022 14:18:16 +0000 [thread overview]
Message-ID: <86a63wr787.wl-maz@kernel.org> (raw)
In-Reply-To: <Y5NB7o/7gtryVpoJ@nvidia.com>
On Fri, 09 Dec 2022 14:10:54 +0000,
Jason Gunthorpe <jgg@nvidia.com> wrote:
>
> On Fri, Dec 09, 2022 at 01:59:35PM +0000, Marc Zyngier wrote:
> > On Thu, 08 Dec 2022 20:26:28 +0000,
> > Jason Gunthorpe <jgg@nvidia.com> wrote:
> > >
> > > This will replace irq_domain_check_msi_remap() in following patches.
> > >
> > > The new API makes it more clear what "msi_remap" actually means from a
> > > functional perspective instead of identifying an implementation specific
> > > HW feature.
> > >
> > > Secure MSI means that an irq_domain on the path from the initiating device
> >
> > irq_domain is a SW construct, and you are trying to validate something
> > that is HW property.
>
> Sure, but the SW constructs model the HW functions, so yes this is
> trying to say that the irq_domain is modeling HW that does this.
>
> > "Secure" is also a terribly overloaded term that means very different
> > things in non-x86 circles.
>
> Here it is being used as a software property - it is security safe to
> allow device operation outside the kernel.
>
> > When I read this, I see an ARM system with
> > a device generating an MSI with the "secure" bit set as part of the
> > transaction and identifying the memory access as being part of the
> > "secure" domain.
>
> Is that secure meaning "confidential" or some other ARM thing?
In ARM parlance, "secure" denotes the secure *physical address space*,
which is a totally disconnected PA space from the "normal" PA space.
If on top of that you have had an unhealthy helping of the
"confidential computing" kool-aid, you get another 2 extra physical
address spaces ("root" and "realm").
>
> > > number that the initiating device is authorized to trigger. Secure MSI
> > > must block devices from triggering interrupts they are not authorized to
> > > trigger. Currently authorization means the MSI vector is one assigned to
> > > the device.
> >
> > What you are describing here is a *device isolation* property, and I'd
> > rather we stay away from calling that "secure". If anything, I'd
> > rather call everything else "broken".
>
> Sure, so
>
> msi_device_isolated_interrupts()
>
> And related ?
Sure.
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2022-12-09 14:18 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-08 20:26 [PATCH iommufd 0/9] Remove IOMMU_CAP_INTR_REMAP Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 1/9] irq: Add msi_device_has_secure_msi() Jason Gunthorpe
2022-12-09 13:59 ` Marc Zyngier
2022-12-09 14:10 ` Jason Gunthorpe
2022-12-09 14:18 ` Marc Zyngier [this message]
2022-12-08 20:26 ` [PATCH iommufd 2/9] vfio/type1: Check that every device supports IOMMU_CAP_INTR_REMAP Jason Gunthorpe
2022-12-08 21:48 ` Alex Williamson
2022-12-09 0:44 ` Jason Gunthorpe
2022-12-09 10:24 ` Robin Murphy
2022-12-08 20:26 ` [PATCH iommufd 3/9] vfio/type1: Convert to msi_device_has_secure_msi() Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 4/9] iommufd: " Jason Gunthorpe
2022-12-09 6:01 ` Tian, Kevin
2022-12-09 14:47 ` Jason Gunthorpe
2022-12-09 16:44 ` Robin Murphy
2022-12-09 17:38 ` Jason Gunthorpe
2022-12-12 15:17 ` Thomas Gleixner
2022-12-12 15:47 ` Jason Gunthorpe
2022-12-12 16:25 ` Thomas Gleixner
2022-12-08 20:26 ` [PATCH iommufd 5/9] irq: Remove unused irq_domain_check_msi_remap() code Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 6/9] irq: Rename MSI_REMAP to SECURE_MSI Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 7/9] iommu/x86: Replace IOMMU_CAP_INTR_REMAP with IRQ_DOMAIN_FLAG_SECURE_MSI Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 8/9] irq/s390: Add arch_is_secure_msi() for s390 Jason Gunthorpe
2022-12-08 20:26 ` [PATCH iommufd 9/9] iommu: Remove IOMMU_CAP_INTR_REMAP Jason Gunthorpe
2022-12-08 23:37 ` [PATCH iommufd 0/9] " Matthew Rosato
2022-12-09 0:42 ` Jason Gunthorpe
2022-12-09 5:54 ` Tian, Kevin
2022-12-09 14:38 ` Jason Gunthorpe
2022-12-09 15:21 ` Jason Gunthorpe
2022-12-09 19:57 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86a63wr787.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=baolu.lu@linux.intel.com \
--cc=bharat.bhushan@nxp.com \
--cc=borntraeger@de.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eric.auger@redhat.com \
--cc=farman@linux.ibm.com \
--cc=gerald.schaefer@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=mjrosato@linux.ibm.com \
--cc=robin.murphy@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=tomasz.nowicki@caviumnetworks.com \
--cc=will.deacon@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox