> From: Jason Gunthorpe <jgg@xxxxxxxxxx> > Sent: Friday, April 15, 2022 2:46 AM > > None of the VFIO APIs take in the vfio_group anymore, so we can remove it > completely. > > This has a subtle side effect on the enforced coherency tracking. The > vfio_group_get_external_user() was holding on to the container_users which > would prevent the iommu_domain and thus the enforced coherency value > from > changing while the group is registered with kvm. > > It changes the security proof slightly into 'user must hold a group FD > that has a device that cannot enforce DMA coherence'. As opening the group > FD, not attaching the container, is the privileged operation this doesn't > change the security properties much. If we allow vfio_file_enforced_coherent() to return error then the security proof can be sustained? In this case kvm can simply reject adding a group which is opened but not attached to a container. Thanks Kevin
