On Tue, Mar 30, 2021 at 04:14:58AM +0000, Tian, Kevin wrote: > One correction. The mdev should still construct the list of allowed PASID's as > you said (by listening to IOASID_BIND/UNBIND event), in addition to the ioasid > set maintained per VM (updated when a PASID is allocated/freed). The per-VM > set is required for inter-VM isolation (verified when a pgtable is bound to the > mdev/PASID), while the mdev's own list is necessary for intra-VM isolation when > multiple mdevs are assigned to the same VM (verified before loading a PASID > to the mdev). This series just handles the general part i.e. per-VM ioasid set and > leaves the mdev's own list to be managed by specific mdev driver which listens > to various IOASID events). This is better, but I don't understand why we need such a convoluted design. Get rid of the ioasid set. Each driver has its own list of allowed ioasids. Register a ioasid in the driver's list by passing the fd and ioasid # No listening to events. A simple understandable security model. Look - it took you three emails to even correctly explain the security model you are striving for here, it is *obviously* too complicated for anyone to understand or successfully implement. simplify smiplify simplify. Jason
