On Thu, Jun 17, 2021 at 07:31:03AM +0000, Tian, Kevin wrote: > > > Yes. function 1 is block-DMA while function 0 still attached to IOASID. > > > Actually unbind from IOMMU fd doesn't change the security context. > > > the change is conducted when attaching/detaching device to/from an > > > IOASID. > > > > But I think you're suggesting that the IOMMU context is simply the > > device's default domain, so vfio is left in the position where the user > > gained access to the device by binding it to an iommu_fd, but now the > > device exists outside of the iommu_fd. I don't think unbind should be allowed. Close the fd and re-open it if you want to attach to a different iommu_fd. > > to gate device access on binding the device to the iommu_fd? The user > > can get an accessible device_fd unbound from an iommu_fd on the reverse > > path. > > yes, binding to iommu_fd is not the appropriate point of gating > device access. Binding is the only point we have enough information to make a full security decision. Device FDs that are not bound must be inoperable until bound. The complexities with revoking mmap/etc are what lead me to conclude that unbind is not worth doing - we can't go back to an inoperable state very easially. > Yes, that was the original impression. But after figuring out the new > block-DMA behavior, I'm not sure whether /dev/iommu must maintain > its own group integrity check. If it trusts vfio, I feel it's fine to avoid > such check which even allows a group of devices bound to different > IOMMU fd's if user likes. Also if we want to sustain the current vfio > semantics which doesn't require all devices in the group bound to > vfio driver, seems it's pointless to enforce such integrity check in > /dev/iommu. > > Jason, what's your opinion? I think the iommu code should do all of this, I don't see why vfio should be dealing with *iommu* isolation. The rest of this email got a bit long for me to catch up on, sorry :\ Jason
