Re: [PATCH v4 04/22] iommu/vt-d: add bind_pasid_table function

[Jacob Pan]

On Wed, 6 Jun 2018 12:20:51 +0100
Jean-Philippe Brucker <jean-philippe.brucker@xxxxxxx> wrote:

> On 05/06/18 18:32, Jacob Pan wrote:
> >> "bytes" could be passed by VFIO as argument to bind_pasid_table,
> >> since it can deduce it from argsz
> >>  
> > Are you suggesting we wrap this struct in a vfio struct with argsz?
> > or we directly use this struct?
> > 
> > I need to clarify how vfio will use this.  
> 
> Right, I think we've diverged a bit since the last discussion :)
> 
> > - User program:
> > struct pasid_table_config ptc = { .bytes = sizeof(ptc) };
> > ptc.version = 1;
> > ioctl(device, VFIO_DEVICE_BIND_PASID_TABLE, &ptc);  
> 
> Any reason to do the ioctl on device instead of container? As we're
> binding address spaces we probably want a consistent view for the
> whole container, like the MAP/UNMAP ioctls do.
> 
I was thinking the pasid table storage is per device, it would be
more secure if the pasid table is contained within the device. We
should have one device per container in most cases.
in case of two or more devices in the same container shares the same
pasid table, isolation may not be good in that the second device can
dma with pasids it does not own but in the shared pasid table.

> As I remember it the userspace interface would use a VFIO header and
> the BIND ioctl. I can't find the email in my archive though, so I
> might be imagining it. This is what I remember, on the user side:
> 
> struct {
> 	struct vfio_iommu_type1_bind	hdr;
> 	struct pasid_table_config	cfg;
> } bind = {
> 	.hdr.argsz	= sizeof(bind),
> 	.hdr.flags	= VFIO_IOMMU_BIND_PASID_TABLE,
> 	/* cfg data here */
> };
> 
> ioctl(container, VFIO_DEVICE_BIND, &bind);
> 
or maybe just use your VFIO_IOMMU_BIND command and vfio_iommu_type1_bind
with a new flag and PTC as the data. there can be future extensions,
bind pasid table can be too narrow. And i agree below using argsz and
flags are more flexible.

i.e.
/* takes pasid_table_config as data for flag VFIO_IOMMU_BIND_PASIDTBL */
struct vfio_iommu_type1_bind {
	__u32	argsz;
	__u32	flags;
#define VFIO_IOMMU_BIND_PROCESS		(1 << 0)
#define VFIO_IOMMU_BIND_PASIDTBL	(1 << 1)
	__u8	data[];
};

pseudo code in kernel:
	switch (bind.flags) {
	case VFIO_IOMMU_BIND_PROCESS:
		return vfio_iommu_type1_bind_process(iommu, (void *)arg,
						     &bind);
	case VFIO_IOMMU_BIND_PASIDTBL:
		return vfio_iommu_type1_bind_pasid_tbl(iommu, &bind);
}

vfio_iommu_type1_bind_pasid_tbl(iommu, bind)
{
	/* loop through domain list, group, device */
	struct pasid_table_cfg *ptc = bind->data;
	iommu_bind_pasid_table(domain, device, ptc);
}


> 
> But I don't feel strongly about the interface. However I'd suggest to
> keep incremental versioning like the rest of VFIO, with argsz and
> flags, instead of version numbers, because it's more flexible.
> 
> Initially the PTC struct would look like:
> struct pasid_table_config {
>   u32 argsz;		/* sizeof(pasid_table_config) */
>   u32 flags;		/* Should be zero */
>   u64 base_ptr;
>   u8 model;
>   u8 pasid_bits;
> };
> 
> (Even though it doesn't use a version field let's call this version 1
> for the sake of the example)
> 
> ------
> If someone wants to add a new field to the structure, then they also
> add a flag (let's call this version 2):
> 
> struct pasid_table_config {
>   u32 argsz;
> #define PASID_TABLE_CONFIG_EXTN (1 << 0)
>   u32 flags;
>   u64 base_ptr;
>   u8 model;
>   u8 pasid_bits;
>   u64 some_extension;
> };
> 
> * Assume user has a version 2 header and kernel has a version 1
> header.
>   * If user doesn't want the extension, it doesn't set the EXTN flag.
>     The ioctl succeeds because the kernel checks that argsz >=
>     offsetofend(pasid_bits) and that (flags == 0).
>   * If user wants to use the extension, it sets the EXTN flag. The
> ioctl fails because the kernel doesn't recognize the flag.
> * Assume user has version 1 and kernel has version 2.
>   * User doesn't use the extension. The kernel still checks that
>     argsz >= offsetofend(pasid_bits), but also that (flags &
>     ~PASID_TABLE_CONFIG_EXTN), which succeeds.
>   * User wants the extension, sets PASID_TABLE_CONFIG_EXTN. When
>     seeing the flag, the kernel additionally checks that argsz >=
>     offsetofend(some_extension), which succeeds.
> 
> ------
> Adding model-specific fields is a bit more complicated, because I
> think they should always stay at the end of the struct. One solution
> is to add padding for common extensions:
> 
> struct pasid_table_config {
>   u32 argsz;
>   u32 flags;
>   u64 base_ptr;
>   u8 model;
>   u8 pasid_bits;
>   u8 padding[64];
> 
>   union {
>     struct {
>       u8 s1dss;
>       u8 s1fmt;
>     } model_arm;
>     struct {
>       u64 foo;
>     } model_bar;
>   };
> };
> 
> (we might call this version 3, but can be added before or after
> version 2, it doesn't matter)
> 
> A subsequent extension can still add the "some_extension" field and a
> flag. If the kernel sees model "ARM", then it checks argsz >=
> offsetofend(model_arm). If it sees model "BAR" then it checks argsz >=
> offsetofend(model_bar). A model could also have flags to make the
> model-specific structure extensible.
> 
> The problem is when we run out of space in the padding area, but we
> might not need much extensibility in the common part.
> 
> Thanks,
> Jean

[Jacob Pan]