Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}

From: Michael S. Tsirkin
Date: Fri Sep 10 2021 - 05:54:41 EST

Next message: Michael S. Tsirkin: "Re: [PATCH 6/6] vp_vdpa: introduce legacy virtio pci driver"
Previous message: Sebastian Andrzej Siewior: "[PATCH] virt: acrn: Remove unsued acrn_irqfds_mutex."
Next in thread: Andi Kleen: "Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 30, 2021 at 05:23:17PM -0700, Andi Kleen wrote:
>
> On 8/30/2021 1:59 PM, Michael S. Tsirkin wrote:
> >
> > > Or we can add _audited to the name. ioremap_shared_audited?
> > But it's not the mapping that has to be done in handled special way.
> > It's any data we get from device, not all of it coming from IO, e.g.
> > there's DMA and interrupts that all have to be validated.
> > Wouldn't you say that what is really wanted is just not running
> > unaudited drivers in the first place?
>
>
> Yes.

Then ... let's do just that?

>
> >
> > > And we've been avoiding that drivers can self declare auditing, we've been
> > > trying to have a separate centralized list so that it's easier to enforce
> > > and avoids any cut'n'paste mistakes.
> > >
> > > -Andi
> > Now I'm confused. What is proposed here seems to be basically that,
> > drivers need to declare auditing by replacing ioremap with
> > ioremap_shared.
>
> Auditing is declared on the device model level using a central allow list.

Can we not have an init call allow list instead of, or in addition to, a
device allow list?

> But this cannot do anything to initcalls that run before probe,

Can't we extend module_init so init calls are validated against the
allow list?

> that's why
> an extra level of defense of ioremap opt-in is useful.

OK even assuming this, why is pci_iomap opt-in useful?
That never happens before probe - there's simply no pci_device then.

> But it's not the
> primary mechanism to declare a driver audited, that's the allow list. The
> ioremap is just another mechanism to avoid having to touch a lot of legacy
> drivers.
>
> If we agree on that then the original proposed semantics of "ioremap_shared"
> may be acceptable?
>
> -Andi
>

It looks suspiciously like drivers self-declaring auditing to me which
we both seem to agree is undesirable. What exactly is the difference?

Or are you just trying to disable anything that runs before probe?
In that case I don't see a reason to touch pci drivers though.
These should be fine with just the device model list.

--
MST

Next message: Michael S. Tsirkin: "Re: [PATCH 6/6] vp_vdpa: introduce legacy virtio pci driver"
Previous message: Sebastian Andrzej Siewior: "[PATCH] virt: acrn: Remove unsued acrn_irqfds_mutex."
Next in thread: Andi Kleen: "Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]