On Thu, Jun 18, 2020 at 02:38:04PM -0700, John G Johnson wrote: > > On Jun 15, 2020, at 3:49 AM, Stefan Hajnoczi <stefa...@redhat.com> wrote: > > An issue with file descriptor passing is that it's hard to revoke access > > once the file descriptor has been passed. memfd supports sealing with > > fnctl(F_ADD_SEALS) it doesn't revoke mmap(MAP_WRITE) on other processes. > > > > Memory Protection Keys don't seem to be useful here either and their > > availability is limited (see pkeys(7)). > > > > One crazy idea is to use KVM as a sandbox for running the device and let > > the vIOMMU control the page tables instead of the device (guest). That > > way the hardware MMU provides memory translation, but I think this is > > impractical because the guest environment is too different from the > > Linux userspace environment. > > > > As a starting point adding DMA_READ/DMA_WRITE messages would provide the > > functionality and security. Unfortunately it makes DMA expensive and > > performance will suffer. > > > > Are you advocating for only using VFIO_USER_DMA_READ/WRITE and > not passing FDs at all? The performance penalty would be large for the > cases where the client and server are equally trusted. Or are you > advocating for an option where the slower methods are used for cases > where the server is less trusted?
I think the enforcing IOMMU should be optional (due to the performance overhead) but part of the spec from the start. Stefan
signature.asc
Description: PGP signature
