Re: [PATCH v8 8/9] hisi_acc_vfio_pci: Add support for VFIO live migration

[Alex Williamson <alex.williamson@redhat.com>]

On Tue, 8 Mar 2022 08:11:11 +0000
"Tian, Kevin" <kevin.tian@intel.com> wrote:

> > From: Alex Williamson <alex.williamson@redhat.com>
> > Sent: Tuesday, March 8, 2022 3:53 AM  
> > >  
> > > > I think we still require acks from Bjorn and Zaibo for select patches
> > > > in this series.  
> > >
> > > I checked with Ziabo. He moved projects and is no longer looking into  
> > crypto stuff.  
> > > Wangzhou and LiuLongfang now take care of this. Received acks from  
> > Wangzhou  
> > > already and I will request Longfang to provide his. Hope that's ok.  
> > 
> > Maybe a good time to have them update MAINTAINERS as well.  Thanks,
> >   
> 
> I have one question here (similar to what we discussed for mdev before).
> 
> Now we are adding vendor specific drivers under /drivers/vfio. Two drivers
> on radar and more will come. Then what would be the criteria for 
> accepting such a driver? Do we prefer to a model in which the author should
> provide enough background for vfio community to understand how it works 
> or as done here just rely on the PF driver owner to cover device specific
> code?
> 
> If the former we may need document some process for what information
> is necessary and also need secure increased review bandwidth from key
> reviewers in vfio community.
> 
> If the latter then how can we guarantee no corner case overlooked by both
> sides (i.e. how to know the coverage of total reviews)? Another open is who
> from the PF driver sub-system should be considered as the one to give the
> green signal. If the sub-system maintainer trusts the PF driver owner and
> just pulls commits from him then having the r-b from the PF driver owner is
> sufficient. But if the sub-system maintainer wants to review detail change
> in every underlying driver then we probably also want to get the ack from
> the maintainer.
> 
> Overall I didn't mean to slow down the progress of this series. But above
> does be some puzzle occurred in my review. 😊

Hi Kevin,

Good questions, I'd like a better understanding of expectations as
well.  I think the intentions are the same as any other sub-system, the
drivers make use of shared interfaces and extensions and the role of
the sub-system should be to make sure those interfaces are used
correctly and extensions fit well within the overall design.  However,
just as the network maintainer isn't expected to fully understand every
NIC driver, I think/hope we have the same expectations here.  It's
certainly a benefit to the community and perceived trustworthiness if
each driver outlines its operating model and security nuances, but
those are only ever going to be the nuances identified by the people
who have the access and energy to evaluate the device.

It's going to be up to the community to try to determine that any new
drivers are seriously considering security and not opening any new gaps
relative to behavior using the base vfio-pci driver.  For the driver
examples we have, this seems a bit easier than evaluating an entire
mdev device because they're largely providing direct access to the
device rather than trying to multiplex a shared physical device.  We
can therefore focus on incremental functionality, as both drivers have
done, implementing a boilerplate vendor driver, then adding migration
support.  I imagine this won't always be the case though and some
drivers will re-implement much of the core to support further emulation
and shared resources.

So how do we as a community want to handle this?  I wouldn't mind, I'd
actually welcome, some sort of review requirement for new vfio vendor
driver variants.  Is that reasonable?  What would be the criteria?
Approval from the PF driver owner, if different/necessary, and at least
one unaffiliated reviewer (preferably an active vfio reviewer or
existing vfio variant driver owner/contributor)?  Ideas welcome.
Thanks,

Alex