> -----Original Message----- > From: Jason Gunthorpe [mailto:jgg@xxxxxxxx] > Sent: Friday, April 12, 2019 3:22 PM > To: Dalessandro, Dennis <dennis.dalessandro@xxxxxxxxx> > Cc: Leon Romanovsky <leon@xxxxxxxxxx>; dledford@xxxxxxxxxx; linux- > rdma@xxxxxxxxxxxxxxx; Collier, Josh D <josh.d.collier@xxxxxxxxx> > Subject: Re: [PATCH for-next v2] IB/hfi1: Add debugfs to control expansion > ROM write protect > > On Fri, Apr 12, 2019 at 12:34:31PM -0400, Dennis Dalessandro wrote: > > On 4/12/2019 11:38 AM, Leon Romanovsky wrote: > > > On Thu, Apr 11, 2019 at 07:07:42AM -0700, Dennis Dalessandro wrote: > > > > From: Josh Collier <josh.d.collier@xxxxxxxxx> > > > > > > > > Some kernels now enable CONFIG_IO_STRICT_DEVMEM which prevents > > > > multiple handles to PCI resource0. In order to continue to support > > > > expansion ROM updates while the driver is loaded, the driver must > > > > now provide an interface to control the expansion ROM write > > > > protection. > > > > > > From this description, it seems like that CONFIG_IO_STRICT_DEVMEM > > > was added to prevent this type of access, doesn't it? > > > > Due to the config option using the resource file is no longer an > > option for manipulating the EPROM. There are some accesses that we > > want to be able to make through the PCI config space which is not > > affected by the above config option. However access to that is > > protected by the HW. So this patch provides a safe interface to toggle > > that protection while still preventing userspace from free range access to > memory regions claimed by the driver. > > I feel like this should require CAP_SYS_ADMIN or maybe CAP_SYS_RAW_IO.. > > But I'm never sure when to check caps or when default permissions on file > nodes is good enough By default debugfs is only root accessible. The only CAP_SYS_ADMIN references in all of drivers/infiniband are in hfi1 for a sysfs related attribute and one other non-debugfs behavior. -Josh > > Jason
