From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72A62C432BE for ; Sun, 29 Aug 2021 15:35:04 +0000 (UTC) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0BBC560F46 for ; Sun, 29 Aug 2021 15:35:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0BBC560F46 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id B70EB400AE; Sun, 29 Aug 2021 15:35:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJwzF6MFdxKz; Sun, 29 Aug 2021 15:34:59 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 3400340108; Sun, 29 Aug 2021 15:34:59 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 061CDC001A; Sun, 29 Aug 2021 15:34:59 +0000 (UTC) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id EDC8FC000E for ; Sun, 29 Aug 2021 15:34:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 38B68401EB for ; Sun, 29 Aug 2021 15:34:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjyOGdoIdRm6 for ; Sun, 29 Aug 2021 15:34:54 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 36A6340108 for ; Sun, 29 Aug 2021 15:34:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1630251292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=k7bK8mjMEr9/+vI3Cmf28n6PO028nMAxW7f7pwBVdA0=; b=WQELnnID40NCvm8TdmbstgN9brw48EWtswvkZcYkN6DuUcQSoJ8rLc7vbH+P3TKIW3KUbD aPhWl6wmZqM+d5Kq1npMLrMgmVvypdymlsKp2iraOCmx0R+s8pMSB2ZakuBpgYgr+pmeI7 LgWUoeVgUBZl9r2A1l1caN3GY3tMErg= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-278-N56rlqgDPwmqfb5VWwMpiw-1; Sun, 29 Aug 2021 11:34:51 -0400 X-MC-Unique: N56rlqgDPwmqfb5VWwMpiw-1 Received: by mail-wm1-f71.google.com with SMTP id h1-20020a05600c350100b002e751bf6733so3545396wmq.8 for ; Sun, 29 Aug 2021 08:34:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=k7bK8mjMEr9/+vI3Cmf28n6PO028nMAxW7f7pwBVdA0=; b=ZbqLyoQHMRogTWsCsGoprGr7YOV0Oe0Ed++LFeoZBr7g97G2VVZgwOcDwkLg2yaPtr cmieFxJf/1i+eUoQH3FNsltJrut/5Z0HPGajZjmB80VFnU1CNvy9W2Kx8Au8ed/Q5a/f 3R7GWOHuBWAulD9pT0TnjokZFJopI8az1AvpDw3NEOQkXQDGmRKz9nrPpbaBK1Doqd83 XiR+pxqjgyTrRceIs0iCJpa+2mJlKJ2uJbS+JTJL8FBBW5/7EC3S2fJncELC90FSJwI0 4Zb0o3RwUD/YPGYkFq3VWExUFgGmPpOfBK6rWZcJE3YSZ8KKrfSxsai79j3Egj/Qrwxy Y0mA== X-Gm-Message-State: AOAM532d9m5SZEBwg49RqFgsjrRPdCNYFucXcps/7YsbsH8ceXMJtXXz nGrxCgLF2Bc5qFp61LVdrp/DDd7MoItZbVD3XkaeTtkSs1lf734+IfsK3feR6Jp9bUHSOqWhDTu O0rx0rB6HyLdM32aUa5fpTKv7itHotu505Cfpz8UiYA== X-Received: by 2002:a05:600c:3554:: with SMTP id i20mr7228699wmq.164.1630251290271; Sun, 29 Aug 2021 08:34:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsfKVvJX2xTr0v/Oh8xaTCTod6wJJZwve+Ck9U4y7wUSNHEINC5PgKnfcQc4zsMGO0I7qvbA== X-Received: by 2002:a05:600c:3554:: with SMTP id i20mr7228668wmq.164.1630251290087; Sun, 29 Aug 2021 08:34:50 -0700 (PDT) Received: from redhat.com ([2.55.137.4]) by smtp.gmail.com with ESMTPSA id h15sm11626735wrb.22.2021.08.29.08.34.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 29 Aug 2021 08:34:49 -0700 (PDT) Date: Sun, 29 Aug 2021 11:34:43 -0400 From: "Michael S. Tsirkin" To: Andi Kleen Subject: Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} Message-ID: <20210829113023-mutt-send-email-mst@kernel.org> References: <20210805005218.2912076-1-sathyanarayanan.kuppuswamy@linux.intel.com> <20210805005218.2912076-12-sathyanarayanan.kuppuswamy@linux.intel.com> <20210823195409-mutt-send-email-mst@kernel.org> <26a3cce5-ddf7-cbe6-a41e-58a2aea48f78@linux.intel.com> <2747d96f-5063-7c63-5a47-16ea299fa195@linux.intel.com> MIME-Version: 1.0 In-Reply-To: <2747d96f-5063-7c63-5a47-16ea299fa195@linux.intel.com> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mst@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Cc: "Kuppuswamy, Sathyanarayanan" , Kuppuswamy Sathyanarayanan , linux-doc@vger.kernel.org, Peter Zijlstra , linux-pci@vger.kernel.org, linux-mips@vger.kernel.org, James E J Bottomley , Dave Hansen , Peter H Anvin , sparclinux@vger.kernel.org, Thomas Gleixner , linux-arch@vger.kernel.org, Jonathan Corbet , Helge Deller , x86@kernel.org, Christoph Hellwig , Ingo Molnar , Arnd Bergmann , Tony Luck , Borislav Petkov , Andy Lutomirski , Bjorn Helgaas , Dan Williams , virtualization@lists.linux-foundation.org, Richard Henderson , Thomas Bogendoerfer , linux-parisc@vger.kernel.org, Sean Christopherson , linux-kernel@vger.kernel.org, linux-alpha@vger.kernel.org, "David S . Miller" , Kirill Shutemov X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" On Tue, Aug 24, 2021 at 10:04:26AM -0700, Andi Kleen wrote: > > On 8/24/2021 12:07 AM, Christoph Hellwig wrote: > > On Mon, Aug 23, 2021 at 05:30:54PM -0700, Kuppuswamy, Sathyanarayanan wrote: > > > > > > On 8/23/21 4:56 PM, Michael S. Tsirkin wrote: > > > > > Add a new variant of pci_iomap for mapping all PCI resources > > > > > of a devices as shared memory with a hypervisor in a confidential > > > > > guest. > > > > > > > > > > Signed-off-by: Andi Kleen > > > > > Signed-off-by: Kuppuswamy Sathyanarayanan > > > > I'm a bit puzzled by this part. So why should the guest*not* map > > > > pci memory as shared? And if the answer is never (as it seems to be) > > > > then why not just make regular pci_iomap DTRT? > > > It is in the context of confidential guest (where VMM is un-trusted). So > > > we don't want to make all PCI resource as shared. It should be allowed > > > only for hardened drivers/devices. > > Well, assuming the host can do any damage when mapped shared that also > > means not mapping it shared will completely break the drivers. > > There are several cases: > > - We have driver filtering active to protect you against attacks from the > host against unhardened drivers. > > In this case the drivers not working is the intended behavior. > > - There is an command allow list override for some new driver, but the > driver is hardened and shared > > The other drivers will still not work, but that's also the intended behavior > > - Driver filtering is disabled or the allow list override is used to enable > some non hardened/enabled driver > > There is a command line option to override the ioremap sharing default, it > will allow all drivers to do ioremap. We would really prefer to make it more > finegrained, but it's not possible in this case. Other drivers are likely > attackable. > > - Driver filtering is disabled (allowing attacks on the drivers) and the > command line option for forced sharing is set. > > All drivers initialize and can talk to the host through MMIO. Lots of > unhardened drivers are likely attackable. > > -Andi All this makes sense but ioremap is such a random place to declare driver has been audited, and it's baked into the binary with no way for userspace to set policy. Again all we will end up with is gradual replacement of all ioremap calls with ioremap_shared as people discover a given driver does not work in a VM. How are you going to know driver has actually been audited? what the quality of the audit was? did the people doing the auditing understand what they are auditing for? No way, right? So IMHO, let it be for now. -- MST _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization