Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}

[PATCH v4 00/15] Add TDX Guest Support (shared-mm support) · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 01/15] x86/mm: Move force_dma_unencrypted() to common code · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 02/15] x86/tdx: Exclude Shared bit from physical_mask · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 03/15] x86/tdx: Make pages shared in ioremap() · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 05/15] x86/tdx: Make DMA pages shared · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 06/15] x86/kvm: Use bounce buffers for TD guest · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 07/15] x86/tdx: ioapic: Add shared bit for IOAPIC base address · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 08/15] x86/tdx: Enable shared memory protected guest flags for TDX guest · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 04/15] x86/tdx: Add helper to do MapGPA hypercall · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 09/15] pci: Consolidate pci_iomap* and pci_iomap*wc · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
Re: [PATCH v4 09/15] pci: Consolidate pci_iomap* and pci_iomap*wc · Bjorn Helgaas <helgaas@kernel.org> · 2021-08-12
Re: [PATCH v4 09/15] pci: Consolidate pci_iomap* and pci_iomap*wc · Andi Kleen <hidden> · 2021-08-12
Re: [PATCH v4 09/15] pci: Consolidate pci_iomap* and pci_iomap*wc · "Kuppuswamy, Sathyanarayanan" <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-12
[PATCH v4 10/15] asm/io.h: Add ioremap_shared fallback · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
Re: [PATCH v4 10/15] asm/io.h: Add ioremap_shared fallback · Bjorn Helgaas <helgaas@kernel.org> · 2021-08-12
Re: [PATCH v4 10/15] asm/io.h: Add ioremap_shared fallback · Christoph Hellwig <hch@infradead.org> · 2021-08-13
[PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Christoph Hellwig <hch@infradead.org> · 2021-08-13
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-23
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Kuppuswamy, Sathyanarayanan" <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Dan Williams <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Bjorn Helgaas <helgaas@kernel.org> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Bjorn Helgaas <helgaas@kernel.org> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Dan Williams <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Bjorn Helgaas <helgaas@kernel.org> · 2021-08-25
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Rajat Jain <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-29
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-29
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-29
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-30
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-30
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-31
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-09-10
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-09-10
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-09-11
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-09-13
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-09-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-09-27
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Rajat Jain <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Dan Williams <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Christoph Hellwig <hch@infradead.org> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-24
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-29
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · Andi Kleen <hidden> · 2021-08-29
Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range} · "Michael S. Tsirkin" <mst@redhat.com> · 2021-08-24
[PATCH v4 12/15] pci: Mark MSI data shared · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
Re: [PATCH v4 12/15] pci: Mark MSI data shared · Christoph Hellwig <hch@infradead.org> · 2021-08-13
[PATCH v4 14/15] x86/tdx: Implement ioremap_shared for x86 · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 13/15] virtio: Use shared mappings for virtio PCI devices · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05
[PATCH v4 15/15] x86/tdx: Add cmdline option to force use of ioremap_shared · Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com> · 2021-08-05

From: Andi Kleen <hidden>
Date: 2021-08-29 16:43:29
Also in: linux-alpha, linux-arch, linux-doc, linux-pci, lkml, sparclinux, virtualization

All this makes sense but ioremap is such a random place to declare
driver has been audited, and it's baked into the binary with no way for
userspace to set policy.

Again all we will end up with is gradual replacement of all ioremap
calls with ioremap_shared as people discover a given driver does not
work in a VM.

No the device filter will prevent that. They would need to submit 
patches to the central list.

Or they can override it at the command line, but there is already an 
option to force all ioremaps to be shared. So if you just want some 
driver to run without caring about security you can already do that 
without modifying it.

Besides the shared concept only makes sense for virtual devices, so if 
you don't have a device model for a device this will never happen either.

So I don't think your scenario of all ioremaps becoming shared will ever 
happen.

How are you going to know driver has actually been
audited? what the quality of the audit was? did the people doing the
auditing understand what they are auditing for?  No way, right?

First the primary purpose of the ioremap policy is to avoid messing with 
all the legacy drivers (which is 99+% of the code base)

How to handle someone maliciously submitting a driver to the kernel is a 
completely different problem. To some degree there is trust of course. 
If someone says they audited and a maintainer trusts them with their 
statement, but they actually didn't there is a problem, but it's larger 
than just TDX. But in such a case the community code audit will also 
focus on such areas, and people interested in confidential computing 
security will also start taking a look.

And we're also working on fuzzing, so these drivers will be fuzzed at 
some point, so mistakes will be eventually found.

But in any case the ioremap policy is mainly to prevent having to handle 
this for all legacy drivers.

I would rather change the few drivers that are actually needed, than all 
the other drivers.

That's really the fundamental problem this is addressing: how to get 
reasonable security with all the legacy drivers out of the box without 
touching them.


-Andi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help