From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <andre.o.richter@gmail.com>
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com
 [209.85.215.51]) by dpdk.org (Postfix) with ESMTP id E419F5A73
 for <dev@dpdk.org>; Tue, 31 Mar 2015 11:26:14 +0200 (CEST)
Received: by lagg8 with SMTP id g8so8050535lag.1
 for <dev@dpdk.org>; Tue, 31 Mar 2015 02:26:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-type;
 bh=M8dQdje6uQ3HwRbzqTu/L3DPB+euk7dbJVC3obt8cTA=;
 b=A9Z/VwTOlRXU87Oo+4k2hrjWqB9/lHJwrSzct5bIb1FiOLEpcl+HBHb9jAGNCtkBpQ
 QtK7vRyLkzZrRs0ryaz1eZL/NOblbwAfeTHwLK55aMPa4jJVtrDAjI5vzQ0KJC2P3/ss
 ozDkF/u867UuYe7O9iDbzxd96FD+bxReyUugHDcfha0CvJigSxX09kbgmTTmjNjbovN4
 RyoZtXgsXwEZTkjoEUGMKtOd5RBZra1IjmcDUfhhLxGtMGnQHkdROKQbTsP89lUzmESa
 N76WIyAi6G7/mo7hMlPYtV0cxj2P8pYESIzxbCizzu1H/F05aJC6p94F3ziHR52rLjkF
 HcRA==
X-Received: by 10.152.87.162 with SMTP id az2mr13857458lab.58.1427793974629;
 Tue, 31 Mar 2015 02:26:14 -0700 (PDT)
MIME-Version: 1.0
References: <20150330133507.77ff6b1d@urahara> <20150330133742.57adef52@urahara>
 <C6ECDF3AB251BE4894318F4E4512369780C7A59F@IRSMSX109.ger.corp.intel.com>
In-Reply-To: <C6ECDF3AB251BE4894318F4E4512369780C7A59F@IRSMSX109.ger.corp.intel.com>
From: Andre Richter <andre.o.richter@gmail.com>
Date: Tue, 31 Mar 2015 09:26:13 +0000
Message-ID: <CAKqeN2-vJpvjAL2gj=M=arkZmDz+1UmTbiSngixSkq2uCQQXgg@mail.gmail.com>
To: "Burakov, Anatoly" <anatoly.burakov@intel.com>, 
 Stephen Hemminger <stephen@networkplumber.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] VFIO in setup.sh
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 09:26:15 -0000

I think the whole process of VFIO binding maybe needs at least a second
thought regarding corner cases and security.

1) in the setup process, there currently is no mechanism that checks if the
Device to be used has other devices in the same iommu group that need to be
bound to VFIO too. Otherwise using VFIO will fail.
I think currently, it only works if the network device is the only one in
its iommu group.

2) Right now everything inside /dev/vfio/ is granted to the all users,
right? Maybe this leads to (security) issues if VFIO is in active use by
other non-dpdk processes for other PCIe devices.

Cheers,
Andre
Burakov, Anatoly <anatoly.burakov@intel.com> schrieb am Di., 31. M=C3=A4rz =
2015
um 11:05:

> > > 3. Why depend on location of vfio module in kernel tree?
> > >    modprobe does the right thing and finds it.
> > >
> > >     VFIO_PATH=3D"kernel/drivers/vfio/pci/vfio-pci.ko"
> > >
> > >     echo "Loading VFIO module"
> > >     /sbin/lsmod | grep -s vfio_pci > /dev/null
> > >     if [ $? -ne 0 ] ; then
> > >             if [ -f /lib/modules/$(uname -r)/$VFIO_PATH ] ; then
> > >                     sudo /sbin/modprobe vfio-pci
> > >             fi
> > >     fi
> > >
>
> Here I agree. Needs to be fixed.
>
> Thanks,
> Anatoly
>