On Fri, Oct 29, 2021 at 11:15:31AM +1100, David Gibson wrote: > > +Device must be bound to an iommufd before the attach operation can > > +be conducted. The binding operation builds the connection between > > +the devicefd (opened via device-passthrough framework) and IOMMUFD. > > +IOMMU-protected security context is esbliashed when the binding > > +operation is completed. > > This can't be quite right. You can't establish a safe security > context until all devices in the groun are bound, but you can only > bind them one at a time. When any device is bound the entire group is implicitly adopted to this iommufd and the whole group enters a safe-for-userspace state. It is symmetrical with the kernel side which is also device focused, when any struct device is bound to a kernel driver the entire group is implicitly adopted to kernel mode. Lu should send a patch series soon that harmonize how this works, it is a very nice cleanup. Jason
