On Wed, Jun 09, 2021 at 12:00:09PM -0300, Jason Gunthorpe wrote: > Only *drivers* know what the actual device is going to do, devices do > not. Since the group doesn't have drivers it is the wrong layer to be > making choices about how to configure the IOMMU. Groups don't carry how to configure IOMMUs, that information is mostly in the IOMMU domains. And those (or an abstraction of them) is configured through /dev/ioasid. So not sure what you wanted to say with the above. All a group carries is information about which devices are not sufficiently isolated from each other and thus need to always be in the same domain. > The device centric approach is my attempt at this, and it is pretty > clean, I think. Clean, but still insecure. > All ACS does is prevent P2P operations, if you assign all the group > devices into the same /dev/iommu then you may not care about that > security isolation property. At the very least it is policy for user > to decide, not kernel. It is a kernel decision, because a fundamental task of the kernel is to ensure isolation between user-space tasks as good as it can. And if a device assigned to one task can interfer with a device of another task (e.g. by sending P2P messages), then the promise of isolation is broken. > Groups should be primarily about isolation security, not about IOASID > matching. That doesn't make any sense, what do you mean by 'IOASID matching'? > Blocking this forever in the new uAPI just because group = IOASID is > some historical convenience makes no sense to me. I think it is safe to assume that devices supporting PASID will most often be the only ones in their group. But for the non-PASID IOASID use-cases like plain old device assignment to a VM it needs to be group-centric. Regards, Joerg