From: Baolu Lu <baolu.lu@linux.intel.com>
To: Robin Murphy <robin.murphy@arm.com>,
"Tian, Kevin" <kevin.tian@intel.com>,
Jason Gunthorpe <jgg@nvidia.com>
Cc: baolu.lu@linux.intel.com,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
Joerg Roedel <joro@8bytes.org>,
Christoph Hellwig <hch@infradead.org>,
Will Deacon <will@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/4] iommu: Use group ownership to avoid driver attachment
Date: Thu, 16 Feb 2023 08:42:53 +0800 [thread overview]
Message-ID: <694e3fe4-084d-2da5-83f6-cc275fac4463@linux.intel.com> (raw)
In-Reply-To: <f4559966-c99e-47d2-a5ab-d248c7ed8e52@arm.com>
On 2/15/23 7:09 PM, Robin Murphy wrote:
> On 2023-02-15 07:28, Baolu Lu wrote:
>> On 2023/2/15 14:56, Tian, Kevin wrote:
>>>> From: Baolu Lu<baolu.lu@linux.intel.com>
>>>> Sent: Wednesday, February 15, 2023 1:51 PM
>>>>
>>>> On 2/13/23 10:19 PM, Jason Gunthorpe wrote:
>>>>> On Mon, Feb 13, 2023 at 03:49:39PM +0800, Lu Baolu wrote:
>>>>>> @@ -2992,6 +2987,14 @@ static ssize_t iommu_group_store_type(struct
>>>> iommu_group *group,
>>>>>> else
>>>>>> return -EINVAL;
>>>>>>
>>>>>> + if (req_type != IOMMU_DOMAIN_DMA_FQ ||
>>>>>> + group->default_domain->type != IOMMU_DOMAIN_DMA) {
>>>>>> + ret = iommu_group_claim_dma_owner(group, (void *)buf);
>>>>>> + if (ret)
>>>>>> + return ret;
>>>>>> + group_owner_claimed = true;
>>>>>> + }
>>>>> I don't get it, this should be done unconditionally. If we couldn't
>>>>> take ownership then we simply can't progress.
>>>> The existing code allows the user to switch the default domain from
>>>> strict to lazy invalidation mode. The default domain is not changed,
>>>> hence it should be seamless and transparent to the device driver.
>>> Is there real usage relying on this transition for a bound device?
>>>
>>> In concept strict->lazy transition implies relaxed DMA security. It's
>>> hard
>>> to think of a motivation of doing so while the device might be doing
>>> in-fly DMAs.
>>>
>>> Presumably such perf/security tradeoff should be planned way before
>>> binding device/driver together.
>>>
>>> btw if strict->lazy is allowed why lazy->strict is prohibited?
>>>
>>
>> We all know, strict vs. lazy is a tradeoff between performance and
>> security.
>>
>> strict -> lazy: driver works in secure mode. This transition trades off
>> security for better performance.
>>
>> lazy->strict: The driver is already working in non-safety mode. This
>> transition only results in worse performance. It makes no sense. If user
>> want to put the driver in a secure mode, they need to unbind the driver,
>> reset the device and do the lazy->strict transition.
>>
>> Robin might have better insights.
>
> Yes, this was added for a definite use-case in ChromeOS, where
> strict->lazy needs to support being done "live" since the device in
> question is the storage controller for the already-mounted root
> filesystem.
Thanks for letting us know this.
> Your reasoning seems to match what I summarised in the
> original commit message 😄
Haha, it seems that my memory is till good. :-)
Best regards,
baolu
next prev parent reply other threads:[~2023-02-16 0:51 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 7:49 [PATCH 0/4] iommu: Extend changing default domain to normal group Lu Baolu
2023-02-13 7:49 ` [PATCH 1/4] iommu: Add dev_iommu->ops_rwsem Lu Baolu
2023-02-13 14:16 ` Jason Gunthorpe
2023-02-15 5:34 ` Baolu Lu
2023-02-15 11:24 ` Robin Murphy
2023-02-16 0:40 ` Baolu Lu
2023-02-13 7:49 ` [PATCH 2/4] iommu: Use group ownership to avoid driver attachment Lu Baolu
2023-02-13 14:19 ` Jason Gunthorpe
2023-02-15 5:51 ` Baolu Lu
2023-02-15 6:56 ` Tian, Kevin
2023-02-15 7:28 ` Baolu Lu
2023-02-15 11:09 ` Robin Murphy
2023-02-16 0:42 ` Baolu Lu [this message]
2023-02-15 12:56 ` Jason Gunthorpe
2023-02-16 0:36 ` Baolu Lu
2023-02-13 7:49 ` [PATCH 3/4] iommu: Remove unnecessary device_lock() Lu Baolu
2023-02-13 7:49 ` [PATCH 4/4] iommu: Cleanup iommu_change_dev_def_domain() Lu Baolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=694e3fe4-084d-2da5-83f6-cc275fac4463@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=hch@infradead.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox