On 8/2/2025 11:18 PM, Jason Gunthorpe wrote:
On Sat, Aug 02, 2025 at 09:45:08AM +0800, Ethan Zhao wrote:
On 7/9/2025 10:52 PM, Jason Gunthorpe wrote:
The series patches have extensive descriptions as to the problem and
solution, but in short the ACS flags are not analyzed according to the
spec to form the iommu_groups that VFIO is expecting for security.
ACS is an egress control only. For a path the ACS flags on each hop only
effect what other devices the TLP is allowed to reach. It does not prevent
other devices from reaching into this path.
Perhaps I was a little confused here, the egress control vector on the
Linux does not support egress control vector. Enabling that is a
different project and we would indeed need to introduce different
logic.
My understanding, iommu has no logic yet to handle the egress control
vector configuration case, the static groups were created according to
FW DRDB tables, also not the case handled by notifiers for Hot-plug
events (BUS_NOTIFY_ADD_DEVICE etc). iommu groups need some kind of {
add, remove etc } per egress control vector configuration operation.
Thanks,
Ethan>
Jason
