From: Steven Price [mailto:[email protected]
Sent: 14 December 2020 13:43
To: Robin Murphy <robin.murphy(a)arm.com>; Shameerali Kolothum Thodi
Cc: Linuxarm <linuxarm(a)huawei.com>; lorenzo.pieralisi(a)arm.com;
joro(a)8bytes.org; wanghuiqiang <wanghuiqiang(a)huawei.com>; Guohanjun
(Hanjun Guo) <guohanjun(a)huawei.com>; Jonathan Cameron
Subject: Re: [RFC PATCH v2 0/8] ACPI/IORT: Support for IORT RMR node
On 14/12/2020 12:33, Robin Murphy wrote:
> On 2020-12-14 10:55, Shameerali Kolothum Thodi wrote:
>> Hi Steve,
>>> -----Original Message-----
>>> From: Steven Price [mailto:[email protected]
>>> Sent: 10 December 2020 10:26
>>> To: Shameerali Kolothum Thodi
>>> linux-arm-kernel(a)lists.infradead.org; linux-acpi(a)vger.kernel.org;
>>> iommu(a)lists.linux-foundation.org; devel(a)acpica.org
>>> Cc: Linuxarm <linuxarm(a)huawei.com>; lorenzo.pieralisi(a)arm.com;
>>> joro(a)8bytes.org; robin.murphy(a)arm.com; wanghuiqiang
>>> <wanghuiqiang(a)huawei.com>; Guohanjun (Hanjun Guo)
>>> <guohanjun(a)huawei.com>; Jonathan Cameron
>>> <jonathan.cameron(a)huawei.com>; Sami.Mujawar(a)arm.com
>>> Subject: Re: [RFC PATCH v2 0/8] ACPI/IORT: Support for IORT RMR node
>>> On 19/11/2020 12:11, Shameer Kolothum wrote:
>>>> RFC v1 --> v2:
>>>> - Added a generic interface for IOMMU drivers to retrieve all the
>>>> RMR info associated with a given IOMMU.
>>>> - SMMUv3 driver gets the RMR list during probe() and installs
>>>> bypass STEs for all the SIDs in the RMR list. This is to keep
>>>> the ongoing traffic alive(if any) during SMMUv3 reset. This is
>>>> based on the suggestions received for v1 to take care of the
>>>> EFI framebuffer use case. Only sanity tested for now.
>>> Hi Shameer,
>>> Sorry for not looking at this before.
>>> Do you have any plans to implement support in the SMMUv2 driver? The
>>> platform I've been testing the EFI framebuffer support on has the
>>> display controller behind SMMUv2, so as it stands this series doesn't
>>> work. I did hack something up for SMMUv2 so I was able to test the first
>>> 4 patches.
>> Thanks for taking a look. Sure, I can look into adding the support for
>>>> - During the probe/attach device, SMMUv3 driver reserves any
>>>> RMR region associated with the device such that there is a unity
>>>> mapping for them in SMMU.
>>> For the EFI framebuffer use case there is no device to attach so I
>>> believe we are left with just the stream ID in bypass mode - which is
>>> definitely an improvement (the display works!)
>> Cool. That’s good to know.
>> but not actually a unity
>>> mapping of the RMR range. I'm not sure whether it's worth fixing
>>> not, but I just wanted to point out there's still a need for a driver
>>> for the device before the bypass mode is replaced with the unity
>> I am not sure either. My idea was we will have bypass STE setup for
>> all devices
>> with RMR initially and when the corresponding driver takes over(if
>> that happens)
>> we will have the unity mapping setup properly for the RMR regions. And
>> for cases
>> like the above, it will remain in the bypass mode.
>> Do you see any problem(security?) if the dev streams remain in bypass
>> mode for
>> this dev? Or is it possible to have a stub driver for this dev, so
>> that we will have
>> the probe/attach invoked and everything will fall in place?
> The downside is that if a driver never binds to that device, it remains
> bypassed. If some other externally-controlled malicious device could
> manage to spoof that device's requester ID, that could potentially be
>> TBH, I haven't looked into creating a temp domain for these types of
>> the devices
>> and also not sure how we benefit from that compared to the STE bypass
> That said, setting up temporary translation contexts that ensure any
> access can *only* be to RMR regions until a driver takes over is an
> awful lot more work. I'm inclined to be pragmatic here and say we should
> get things working at all with the simple bypass STE/S2CR method, then
> look at adding the higher-security effort on top.
> Right now systems that need this are either broken (but effectively
> secure) or using default bypass with SMMUv2. People who prefer to
> maintain security over functionality in the interim can maintain that
> status quo by simply continuing to not describe any RMRs.
I agree with Robin, let's get this working with the bypass mode (until
the device binds) like you've currently got. It's much better than what
we have otherwise. Then once that is merged we can look at the temporary
translation context or stub driver. The temporary translation context
would be 'neatest', but I'm only aware of the EFI framebuffer use case
and for that it might be possible to do something simpler - if indeed
anything is needed at all. I'm not sure how much we need to be worried
about malicious devices spoofing requester IDs.
Perfect. I will keep the STE bypass and respin the series once the update
to the IORT rev E is made public(hope that will happen soon). In the
meantime, appreciate any feedback on the rest of the patches in this series.