On Thu, Jan 13, 2022 at 09:28:19AM +0800, Jason Wang wrote:
> On Wed, Jan 12, 2022 at 6:44 PM Stefan Hajnoczi <stefanha@redhat.com> wrote:
> >
> > On Wed, Jan 12, 2022 at 01:57:53PM +0800, Jason Wang wrote:
> > > Hi All:
> > >
> > > This series tries to add PASID support for virtio-pci to allow the
> > > virtqueue to use PASID TLP prefix for PCI transactions. This will be
> > > useful for future work like, queue assignment, virtqueue
> > > virtualization and presenting multiple vDPA devices with a single PCI
> > > device.
> > >
> > > Since we're short of the space for the PCI capabilities, the PCI
> > > extended capability for virtio structure is introduced that allows the
> > > PASID configuration structure to use.
> > >
> > > A prototype is implemented with emulated virtio-pci device in [1]. A
> > > test driver is implemented in [2].
> > >
> > > Please review.
> >
> > I don't know the security model for PASIDs. My guess is that PASIDs can
> > be bruteforced so we must trust the driver (it can assign PASIDs to
> > virtqueue groups) and we must prevent untrusted applications from
> > setting PASIDs on virtqueues. Is that correct?
> 
> Yes, and the kernel can choose to hide PASID even for the trusted
> application by using token or other intermediate layers.

It would be good to describe the security model from a virtio-pci
perspective so driver implementors don't accidentally expose trusted
interfaces to untrusted applications. It's obvious to someone who
already understands and has thought through all of this, but not obvious
to someone who is implementing a driver for the first time or someone
who is modifying the VIRTIO specification and doesn't know/care about
PASIDs.

Stefan