[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC: use VFIO over a UNIX domain socket to implement device offloadi
|
From: |
John G Johnson |
|
Subject: |
Re: RFC: use VFIO over a UNIX domain socket to implement device offloading |
|
Date: |
Thu, 18 Jun 2020 14:38:04 -0700 |
> On Jun 15, 2020, at 3:49 AM, Stefan Hajnoczi <stefanha@redhat.com> wrote:
>
>
> It's challenging to implement a fast and secure IOMMU. The simplest
> approach is secure but not fast: add protocol messages for
> DMA_READ(iova, length) and DMA_WRITE(iova, buffer, length).
>
We do have protocol messages for the case where no FD is
associated with the DMA region: VFIO_USER_DMA_READ/WRITE.
> An issue with file descriptor passing is that it's hard to revoke access
> once the file descriptor has been passed. memfd supports sealing with
> fnctl(F_ADD_SEALS) it doesn't revoke mmap(MAP_WRITE) on other processes.
>
> Memory Protection Keys don't seem to be useful here either and their
> availability is limited (see pkeys(7)).
>
> One crazy idea is to use KVM as a sandbox for running the device and let
> the vIOMMU control the page tables instead of the device (guest). That
> way the hardware MMU provides memory translation, but I think this is
> impractical because the guest environment is too different from the
> Linux userspace environment.
>
> As a starting point adding DMA_READ/DMA_WRITE messages would provide the
> functionality and security. Unfortunately it makes DMA expensive and
> performance will suffer.
>
Are you advocating for only using VFIO_USER_DMA_READ/WRITE and
not passing FDs at all? The performance penalty would be large for the
cases where the client and server are equally trusted. Or are you
advocating for an option where the slower methods are used for cases
where the server is less trusted?
JJ