On Fri, Sep 24, 2021 at 03:43:40PM -0700, Andi Kleen wrote:

quoted

quoted

Hmm, yes that's true. I guess we can make it default to opt-in for
pci_iomap.

It only really matters for device less ioremaps.

OK. And same thing for other things with device, such as
devm_platform_ioremap_resource.
If we agree on all that, this will basically remove virtio
changes from the picture ;)

Hi we revisited this now. One problem with removing the ioremap opt-in is
that it's still possible for drivers to get at devices without going through
probe. For example they can walk the PCI device list. Some drivers do that
for various reasons. So if we remove the opt-in we would need to audit and
possibly fix all that, which would be potentially a lot of churn. That's why
I think it's better to keep the opt-in.


-Andi

I've been thinking about why this still feels wrong to me.

Here's what I came up with: at some point someone will want one of these
modules (poking at devices in the initcall) in the encrypted
environment, and will change ioremap to ioremap_shared.
At that point the allowlist will be broken again, and
by that time it will be set in stone and too late to fix.

Isn't the problem that what is actually audited is modules,
but you are trying to add devices to allow list?
So why not have modules/initcalls in the allowlist then?
For built-in modules, we already have initcall_blacklisted, right?
This could be an extension ... no?

-- 
MST