On Tue, Jan 04, 2022 at 10:41:00AM -0600, Bjorn Helgaas wrote: > On Tue, Jan 04, 2022 at 02:08:00AM -0800, Christoph Hellwig wrote: > > On Tue, Jan 04, 2022 at 09:56:31AM +0800, Lu Baolu wrote: > > > Multiple devices may be placed in the same IOMMU group because they > > > cannot be isolated from each other. These devices must either be > > > entirely under kernel control or userspace control, never a mixture. > > I guess the reason is that if a group contained a mixture, userspace > could attack the kernel by programming a device to DMA to a device > owned by the kernel? There are several of reasons, including what you guess, but for the design of the series now we can just focus on the group's domain. If the kernel is using a device then the kernel driver uses the DMA API and the group's domain must always point to the default domain so long as a DMA API user exists. Hopefully it is clear to understand > > > The device driver oriented interfaces are, > > > > > > int iommu_device_use_dma_api(struct device *dev); > > > void iommu_device_unuse_dma_api(struct device *dev); > > Nit, do we care whether it uses the actual DMA API? Or is it just > that iommu_device_use_dma_api() tells us the driver may program the > device to do DMA? As the main purpose, yes this is all about the DMA API because it asserts the group domain is the DMA API's domain. There is a secondary purpose that has to do with the user/kernel attack you mentioned above. Maintaining the DMA API domain also prevents VFIO from allowing userspace to operate any device in the group which blocks P2P attacks to MMIO of other devices. This is why, even if the driver doesn't use DMA, it should still do a iommu_device_use_dma_api(), except in the special cases where we don't care about P2P attacks (eg pci-stub, bridges, etc). > > > The vfio oriented interfaces are, > > > > > > int iommu_group_set_dma_owner(struct iommu_group *group, > > > void *owner); > > > void iommu_group_release_dma_owner(struct iommu_group *group); > > > bool iommu_group_dma_owner_claimed(struct iommu_group *group); > > > > > > The device userspace assignment must be disallowed if the set dma owner > > > interface returns failure. > > Can you connect this back to the "never a mixture" from the beginning? > If all you cared about was prevent an IOMMU group from containing > devices with a mixture of kernel drivers and userspace drivers, I > assume you could do that without iommu_device_use_dma_api(). So is > this a way to *allow* a mixture under certain restricted conditions? It is not about user/kernel, it is about arbitrating the shared group->domain against multiple different requests to set it to something else. Lu, Given that the word 'user' was deleted from the API entirely it makes sense to reword these commit messages to focus less on user vs kernel and more on ownership of the domain pointer. Jason