Jason Gunthorpe wrote: > On Thu, Sep 05, 2024 at 12:17:14PM +0000, Tian, Kevin wrote: > > > From: Jason Gunthorpe <jgg@xxxxxxxxxx> > > > Sent: Thursday, September 5, 2024 8:01 PM > > > > > > On Tue, Sep 03, 2024 at 05:59:38PM -0700, Dan Williams wrote: > > > > Jason Gunthorpe wrote: > > > > > It would be a good starting point for other platforms to pick at. Try > > > > > iommufd first (I'm guessing this is correct) and if it doesn't work > > > > > explain why. > > > > > > > > Yes, makes sense. Will take a look at that also to prevent more > > > > disconnects on what this PCI device-security community is actually > > > > building. > > > > > > We are already adding a VIOMMU object and that is going to be the > > > linkage to the KVM side > > > > > > So we could have new actions: > > > - Create a CC VIOMMU with XYZ parameters > > > - Create a CC vPCI function on the vIOMMU with XYZ parameters > > > - Query stuff? > > > - ??? > > > - Destroy a vPCI function > > > > > > > I'll look at the vIOMMU series soon. Just double confirm here. > > > > the so-called vIOMMU object here is the uAPI between iommufd > > and userspace. Not exactly suggesting a vIOMMU visible to guest. > > otherwise this solution will be tied to implementations supporting > > trusted vIOMMU. > > Right, the viommu object today just wraps elements of HW that are > connected to the VM in some way. It is sort of a security container. > > If the VMM goes on to expose a vIOMMU to the guest or not should be > orthogonal. > > I expect people will explicitly request a secure vIOMMU if they intend > to expose the vIOMMU to the CC VM. This can trigger any actions in the > trusted world that are required to support a secure vIOMMU. > > For instance any secure vIOMMU will require some way for the guest to > issue secure invalidations, and that will require some level of > trusted world involvement. At the minimum the trusted world has to > attest the validity of the vIOMMU to the guest. > > > Then you expect to build CC/vPCI stuff around the vIOMMU > > object given it already connects to KVM? > > Yes, it is my thought > > We alreay have a binding of devices to the viommu, increasing that to > also include creating vPCI objects in the trusted world is a small > step. Sounds reasonable to me. To answer Kevin's question about what "bind capable" means I need to clarify this oversubscribed "bind" term means. "Bind" in the TDISP sense is transitioning the device to the LOCKED state so that its configuration is static and ready for the VM to run attestation without worrying about TOCTOU races. The VMM is not in a good position to know when the assigned device can be locked. There are updates, configuration changes, and reset/recovery scenarios the VM may want to perform before transitioning the device to the LOCKED state. So, the "bind capable" concept is: pre-condition VFIO with the context that "this vPCI device is known to VFIO as a device that can attach to the secure world, all the linkage between VFIO and the secure world is prepared for a VM to trigger entry into the LOCKED state, and later the RUN state". As mentioned in another thread this entry into the LOCKED state is likely nearly as violent as hotplug event since the DMA layer currently has no concept of a device having a foot in the secure world and the shared world at the same time.