From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 868A7C4332F for ; Wed, 6 Oct 2021 05:45:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B08A611CA for ; Wed, 6 Oct 2021 05:45:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233064AbhJFFrJ (ORCPT ); Wed, 6 Oct 2021 01:47:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:42092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229579AbhJFFrH (ORCPT ); Wed, 6 Oct 2021 01:47:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 08C45610A8; Wed, 6 Oct 2021 05:45:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633499115; bh=TkhOS3oV3aBi6/QsuUnIcb7Tuh/r6ed2nyWTvBNeZCE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ja+ryf444x6Di/ECYJ1MMxrIt8xWGjoeayFFSxzN7eUIV+0TdxlBE0oLlQK/Z6CPA Mkt0M00dGomHevaZhMCpHpdn51zXqCAEv+4jonKBlHTIZ50E6rRLws7+HdzmJccBZV CwuhTxux4JPGErPjZnNy3G/8slESpIe3e8+O8gMs= Date: Wed, 6 Oct 2021 07:45:12 +0200 From: Greg Kroah-Hartman To: Dan Williams Cc: Mika Westerberg , Alan Stern , "Kuppuswamy, Sathyanarayanan" , "Michael S. Tsirkin" , Borislav Petkov , X86 ML , Bjorn Helgaas , Thomas Gleixner , Ingo Molnar , Andreas Noever , Michael Jamet , Yehezkel Bernat , "Rafael J . Wysocki" , Jonathan Corbet , Jason Wang , Andi Kleen , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Linux PCI , USB list , virtualization@lists.linux-foundation.org Subject: Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Message-ID: References: <1cfdce51-6bb4-f7af-a86b-5854b6737253@linux.intel.com> <20211001164533.GC505557@rowland.harvard.edu> <20211001190048.GA512418@rowland.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 05, 2021 at 03:33:29PM -0700, Dan Williams wrote: > On Sun, Oct 3, 2021 at 10:16 PM Mika Westerberg > wrote: > > > > Hi, > > > > On Fri, Oct 01, 2021 at 12:57:18PM -0700, Dan Williams wrote: > > > > > Ah, so are you saying that it would be sufficient for USB if the > > > > > generic authorized implementation did something like: > > > > > > > > > > dev->authorized = 1; > > > > > device_attach(dev); > > > > > > > > > > ...for the authorize case, and: > > > > > > > > > > dev->authorize = 0; > > > > > device_release_driver(dev); > > > > > > > > > > ...for the deauthorize case? > > > > > > > > Yes, I think so. But I haven't tried making this change to test and > > > > see what really happens. > > > > > > Sounds like a useful path for this effort to explore. Especially as > > > Greg seems to want the proposed "has_probe_authorization" flag in the > > > bus_type to disappear and make this all generic. It just seems that > > > Thunderbolt would need deeper surgery to move what it does in the > > > authorization toggle path into the probe and remove paths. > > > > > > Mika, do you see a path for Thunderbolt to align its authorization > > > paths behind bus ->probe() ->remove() events similar to what USB might > > > be able to support for a generic authorization path? > > > > In Thunderbolt "authorization" actually means whether there is a PCIe > > tunnel to the device or not. There is no driver bind/unbind happening > > when authorization toggles (well on Thunderbolt bus, there can be on PCI > > bus after the tunnel is established) so I'm not entirely sure how we > > could use the bus ->probe() or ->remove for that to be honest. > > Greg, per your comment: > > "... which was to move the way that busses are allowed to authorize > the devices they wish to control into a generic way instead of being > bus-specific logic." > > We have USB and TB that have already diverged on the ABI here. The USB > behavior is more in line with the "probe authorization" concept, while > TB is about tunnel establishment and not cleanly tied to probe > authorization. So while I see a path to a common authorization > implementation for USB and other buses (per the insight from Alan), TB > needs to retain the ability to record the authorization state as an > enum rather than a bool, and emit a uevent on authorization status > change. > > So how about something like the following that moves the attribute > into the core, but still calls back to TB and USB to perform their > legacy authorization work. This new authorized attribute only shows up > when devices default to not authorized, i.e. when userspace owns the > allow list past critical-boot built-in drivers, or if the bus (USB / > TB) implements ->authorize(). At quick glance, this looks better, but it would be good to see someone test it :) thanks, greg k-h From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA2E7C433F5 for ; Wed, 6 Oct 2021 05:45:20 +0000 (UTC) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6E366610A8 for ; Wed, 6 Oct 2021 05:45:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6E366610A8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 2F9E1403EF; Wed, 6 Oct 2021 05:45:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axgSUusL0GBk; Wed, 6 Oct 2021 05:45:19 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 6A759400BE; Wed, 6 Oct 2021 05:45:18 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3A9F4C000F; Wed, 6 Oct 2021 05:45:18 +0000 (UTC) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3DB3EC000D for ; Wed, 6 Oct 2021 05:45:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1F1D060D78 for ; Wed, 6 Oct 2021 05:45:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (1024-bit key) header.d=linuxfoundation.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYKpjw9wjok3 for ; Wed, 6 Oct 2021 05:45:16 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp3.osuosl.org (Postfix) with ESMTPS id 7B9EB608D2 for ; Wed, 6 Oct 2021 05:45:16 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 08C45610A8; Wed, 6 Oct 2021 05:45:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1633499115; bh=TkhOS3oV3aBi6/QsuUnIcb7Tuh/r6ed2nyWTvBNeZCE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ja+ryf444x6Di/ECYJ1MMxrIt8xWGjoeayFFSxzN7eUIV+0TdxlBE0oLlQK/Z6CPA Mkt0M00dGomHevaZhMCpHpdn51zXqCAEv+4jonKBlHTIZ50E6rRLws7+HdzmJccBZV CwuhTxux4JPGErPjZnNy3G/8slESpIe3e8+O8gMs= Date: Wed, 6 Oct 2021 07:45:12 +0200 From: Greg Kroah-Hartman To: Dan Williams Subject: Re: [PATCH v2 4/6] virtio: Initialize authorized attribute for confidential guest Message-ID: References: <1cfdce51-6bb4-f7af-a86b-5854b6737253@linux.intel.com> <20211001164533.GC505557@rowland.harvard.edu> <20211001190048.GA512418@rowland.harvard.edu> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Cc: Jonathan Corbet , "Kuppuswamy, Sathyanarayanan" , Andi Kleen , "Michael S. Tsirkin" , Michael Jamet , Linux PCI , X86 ML , Yehezkel Bernat , Kuppuswamy Sathyanarayanan , Linux Kernel Mailing List , Andreas Noever , Ingo Molnar , Borislav Petkov , Bjorn Helgaas , Alan Stern , Thomas Gleixner , virtualization@lists.linux-foundation.org, Mika Westerberg , USB list , "Rafael J . Wysocki" X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" On Tue, Oct 05, 2021 at 03:33:29PM -0700, Dan Williams wrote: > On Sun, Oct 3, 2021 at 10:16 PM Mika Westerberg > wrote: > > > > Hi, > > > > On Fri, Oct 01, 2021 at 12:57:18PM -0700, Dan Williams wrote: > > > > > Ah, so are you saying that it would be sufficient for USB if the > > > > > generic authorized implementation did something like: > > > > > > > > > > dev->authorized = 1; > > > > > device_attach(dev); > > > > > > > > > > ...for the authorize case, and: > > > > > > > > > > dev->authorize = 0; > > > > > device_release_driver(dev); > > > > > > > > > > ...for the deauthorize case? > > > > > > > > Yes, I think so. But I haven't tried making this change to test and > > > > see what really happens. > > > > > > Sounds like a useful path for this effort to explore. Especially as > > > Greg seems to want the proposed "has_probe_authorization" flag in the > > > bus_type to disappear and make this all generic. It just seems that > > > Thunderbolt would need deeper surgery to move what it does in the > > > authorization toggle path into the probe and remove paths. > > > > > > Mika, do you see a path for Thunderbolt to align its authorization > > > paths behind bus ->probe() ->remove() events similar to what USB might > > > be able to support for a generic authorization path? > > > > In Thunderbolt "authorization" actually means whether there is a PCIe > > tunnel to the device or not. There is no driver bind/unbind happening > > when authorization toggles (well on Thunderbolt bus, there can be on PCI > > bus after the tunnel is established) so I'm not entirely sure how we > > could use the bus ->probe() or ->remove for that to be honest. > > Greg, per your comment: > > "... which was to move the way that busses are allowed to authorize > the devices they wish to control into a generic way instead of being > bus-specific logic." > > We have USB and TB that have already diverged on the ABI here. The USB > behavior is more in line with the "probe authorization" concept, while > TB is about tunnel establishment and not cleanly tied to probe > authorization. So while I see a path to a common authorization > implementation for USB and other buses (per the insight from Alan), TB > needs to retain the ability to record the authorization state as an > enum rather than a bool, and emit a uevent on authorization status > change. > > So how about something like the following that moves the attribute > into the core, but still calls back to TB and USB to perform their > legacy authorization work. This new authorized attribute only shows up > when devices default to not authorized, i.e. when userspace owns the > allow list past critical-boot built-in drivers, or if the bus (USB / > TB) implements ->authorize(). At quick glance, this looks better, but it would be good to see someone test it :) thanks, greg k-h _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization