> From: Jason Gunthorpe <jgg@xxxxxxxxxx> > Sent: Tuesday, September 28, 2021 7:55 PM > > On Tue, Sep 28, 2021 at 07:13:01AM +0000, Tian, Kevin wrote: > > > From: Jason Gunthorpe <jgg@xxxxxxxxxx> > > > Sent: Monday, September 27, 2021 10:40 PM > > > > > > On Mon, Sep 27, 2021 at 01:32:34PM +0000, Tian, Kevin wrote: > > > > > > > but I'm little worried that even vfio-pci itself cannot be bound now, > > > > which implies that all devices in a group which are intended to be > > > > used by the user must be bound to vfio-pci in a breath before the > > > > user attempts to open any of them, i.e. late-binding and device- > > > > hotplug is disallowed after the initial open. I'm not sure how > > > > important such an usage would be, but it does cause user-tangible > > > > semantics change. > > > > > > Oh, that's bad.. > > > > > > I guess your approach is the only way forward, it will have to be > > > extensively justified in the commit message for Greg et al. > > > > > > > Just thought about another alternative. What about having driver > > core to call iommu after call_driver_probe()? > > Then the kernel is now already exposed to an insecure scenario, we > must not do probe if any user device is attached at all. > Originally I thought it's fine as long as the entire probe process is not completed. Based on your comment I feel your concern is that no guarantee that the driver won't do any iommu related work in its probe function thus it's insecure? Thanks Kevin
