[PATCH 0/2] PCI: Describe external-facing ports in device tree

[PATCH 0/2] PCI: Describe external-facing ports in device tree

[Jean-Philippe Brucker]

Add an "external-facing" property to PCI ports in device-tree, to help
identify untrusted devices. The notion of untrusted PCI devices was
added to the v5.0 kernel to describe devices that should have strict
IOMMU protection [1], for example devices that are plugged in a
thunderbolt port. ACPI systems use the ExternalFacingPort property [2].
Add an equivalent mechanism to device tree.

[1] https://lkml.org/lkml/2018/11/26/631
[2] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports

Jean-Philippe Brucker (2):
  dt-bindings: Add external-facing PCIe port property
  PCI: OF: Support external-facing property

 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 drivers/pci/of.c                              |  3 ++
 2 files changed, 50 insertions(+)

-- 
2.21.0

[PATCH 0/2] PCI: Describe external-facing ports in device tree

[Jean-Philippe Brucker]

Add an "external-facing" property to PCI ports in device-tree, to help
identify untrusted devices. The notion of untrusted PCI devices was
added to the v5.0 kernel to describe devices that should have strict
IOMMU protection [1], for example devices that are plugged in a
thunderbolt port. ACPI systems use the ExternalFacingPort property [2].
Add an equivalent mechanism to device tree.

[1] https://lkml.org/lkml/2018/11/26/631
[2] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports

Jean-Philippe Brucker (2):
  dt-bindings: Add external-facing PCIe port property
  PCI: OF: Support external-facing property

 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 drivers/pci/of.c                              |  3 ++
 2 files changed, 50 insertions(+)

-- 
2.21.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 0/2] PCI: Describe external-facing ports in device tree

[Jean-Philippe Brucker]

Add an "external-facing" property to PCI ports in device-tree, to help
identify untrusted devices. The notion of untrusted PCI devices was
added to the v5.0 kernel to describe devices that should have strict
IOMMU protection [1], for example devices that are plugged in a
thunderbolt port. ACPI systems use the ExternalFacingPort property [2].
Add an equivalent mechanism to device tree.

[1] https://lkml.org/lkml/2018/11/26/631
[2] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports

Jean-Philippe Brucker (2):
  dt-bindings: Add external-facing PCIe port property
  PCI: OF: Support external-facing property

 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 drivers/pci/of.c                              |  3 ++
 2 files changed, 50 insertions(+)

-- 
2.21.0

[PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

Provide a way for the firmware to tell the OS which devices are external
to the machine and therefore untrusted. The property can describe for
example thunderbolt and other hot-pluggable ports, which should always
have the strongest IOMMU protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
index c77981c5dd18..55cdbc5d2804 100644
--- a/Documentation/devicetree/bindings/pci/pci.txt
+++ b/Documentation/devicetree/bindings/pci/pci.txt
@@ -24,3 +24,50 @@ driver implementation may support the following properties:
    unsupported link speed, for instance, trying to do training for
    unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
    for gen2, and '1' for gen1. Any other values are invalid.
+
+PCI-PCI Bridge properties
+-------------------------
+
+Root ports and switch ports may be described explicitly in the device
+tree, as children of the host bridge node. Even though those devices are
+discoverable by probing, it might be necessary to describe properties that
+aren't provided by standard PCIe capabilities.
+
+Required properties:
+
+- reg:
+   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
+   document, it is a five-cell address encoded as (phys.hi phys.mid
+   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
+   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
+
+   The bus number is defined by firmware, through the standard bridge
+   configuration mechanism. If this port is a switch port, then firmware
+   allocates the bus number and writes it into the Secondary Bus Number
+   register of the bridge directly above this port. Otherwise, the bus
+   number of a root port is the first number in the bus-range property,
+   defaulting to zero.
+
+   If firmware leaves the ARI Forwarding Enable bit set in the bridge
+   above this port, then phys.hi contains the 8-bit function number as
+   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
+   recommends that firmware only leaves ARI enabled when it knows that the
+   OS is ARI-aware.
+
+Optional properties:
+
+- external-facing:
+   When present, the port is external facing. All bridges and endpoints
+   downstream of this port are external to the machine.
+
+Example:
+
+pcie@10000000 {
+	compatible = "pci-host-ecam-generic";
+	...
+	pcie@0008 {
+		/* Root port 00:01.0 is external-facing */
+		reg = <0x00000800 0 0 0 0>;
+		external-facing;
+	};
+};
-- 
2.21.0

[PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

Provide a way for the firmware to tell the OS which devices are external
to the machine and therefore untrusted. The property can describe for
example thunderbolt and other hot-pluggable ports, which should always
have the strongest IOMMU protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
index c77981c5dd18..55cdbc5d2804 100644
--- a/Documentation/devicetree/bindings/pci/pci.txt
+++ b/Documentation/devicetree/bindings/pci/pci.txt
@@ -24,3 +24,50 @@ driver implementation may support the following properties:
    unsupported link speed, for instance, trying to do training for
    unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
    for gen2, and '1' for gen1. Any other values are invalid.
+
+PCI-PCI Bridge properties
+-------------------------
+
+Root ports and switch ports may be described explicitly in the device
+tree, as children of the host bridge node. Even though those devices are
+discoverable by probing, it might be necessary to describe properties that
+aren't provided by standard PCIe capabilities.
+
+Required properties:
+
+- reg:
+   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
+   document, it is a five-cell address encoded as (phys.hi phys.mid
+   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
+   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
+
+   The bus number is defined by firmware, through the standard bridge
+   configuration mechanism. If this port is a switch port, then firmware
+   allocates the bus number and writes it into the Secondary Bus Number
+   register of the bridge directly above this port. Otherwise, the bus
+   number of a root port is the first number in the bus-range property,
+   defaulting to zero.
+
+   If firmware leaves the ARI Forwarding Enable bit set in the bridge
+   above this port, then phys.hi contains the 8-bit function number as
+   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
+   recommends that firmware only leaves ARI enabled when it knows that the
+   OS is ARI-aware.
+
+Optional properties:
+
+- external-facing:
+   When present, the port is external facing. All bridges and endpoints
+   downstream of this port are external to the machine.
+
+Example:
+
+pcie@10000000 {
+	compatible = "pci-host-ecam-generic";
+	...
+	pcie@0008 {
+		/* Root port 00:01.0 is external-facing */
+		reg = <0x00000800 0 0 0 0>;
+		external-facing;
+	};
+};
-- 
2.21.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

Provide a way for the firmware to tell the OS which devices are external
to the machine and therefore untrusted. The property can describe for
example thunderbolt and other hot-pluggable ports, which should always
have the strongest IOMMU protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
index c77981c5dd18..55cdbc5d2804 100644
--- a/Documentation/devicetree/bindings/pci/pci.txt
+++ b/Documentation/devicetree/bindings/pci/pci.txt
@@ -24,3 +24,50 @@ driver implementation may support the following properties:
    unsupported link speed, for instance, trying to do training for
    unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
    for gen2, and '1' for gen1. Any other values are invalid.
+
+PCI-PCI Bridge properties
+-------------------------
+
+Root ports and switch ports may be described explicitly in the device
+tree, as children of the host bridge node. Even though those devices are
+discoverable by probing, it might be necessary to describe properties that
+aren't provided by standard PCIe capabilities.
+
+Required properties:
+
+- reg:
+   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
+   document, it is a five-cell address encoded as (phys.hi phys.mid
+   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
+   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
+
+   The bus number is defined by firmware, through the standard bridge
+   configuration mechanism. If this port is a switch port, then firmware
+   allocates the bus number and writes it into the Secondary Bus Number
+   register of the bridge directly above this port. Otherwise, the bus
+   number of a root port is the first number in the bus-range property,
+   defaulting to zero.
+
+   If firmware leaves the ARI Forwarding Enable bit set in the bridge
+   above this port, then phys.hi contains the 8-bit function number as
+   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
+   recommends that firmware only leaves ARI enabled when it knows that the
+   OS is ARI-aware.
+
+Optional properties:
+
+- external-facing:
+   When present, the port is external facing. All bridges and endpoints
+   downstream of this port are external to the machine.
+
+Example:
+
+pcie@10000000 {
+	compatible = "pci-host-ecam-generic";
+	...
+	pcie@0008 {
+		/* Root port 00:01.0 is external-facing */
+		reg = <0x00000800 0 0 0 0>;
+		external-facing;
+	};
+};
-- 
2.21.0

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
> Provide a way for the firmware to tell the OS which devices are external
> to the machine and therefore untrusted. The property can describe for
> example thunderbolt and other hot-pluggable ports, which should always
> have the strongest IOMMU protection.

s/thunderbolt/Thunderbolt/

I think the important bit is that the port is user-accessible, whether
it is hot-pluggable or not, right?

I think I'm OK with this from a PCI perspective.

> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>  1 file changed, 47 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
> index c77981c5dd18..55cdbc5d2804 100644
> --- a/Documentation/devicetree/bindings/pci/pci.txt
> +++ b/Documentation/devicetree/bindings/pci/pci.txt
> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>     unsupported link speed, for instance, trying to do training for
>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>     for gen2, and '1' for gen1. Any other values are invalid.
> +
> +PCI-PCI Bridge properties
> +-------------------------
> +
> +Root ports and switch ports may be described explicitly in the device

Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
to both conventional PCI and PCIe?

> +tree, as children of the host bridge node. Even though those devices are
> +discoverable by probing, it might be necessary to describe properties that
> +aren't provided by standard PCIe capabilities.
> +
> +Required properties:
> +
> +- reg:
> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
> +   document, it is a five-cell address encoded as (phys.hi phys.mid
> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
> +
> +   The bus number is defined by firmware, through the standard bridge
> +   configuration mechanism. If this port is a switch port, then firmware
> +   allocates the bus number and writes it into the Secondary Bus Number
> +   register of the bridge directly above this port. Otherwise, the bus
> +   number of a root port is the first number in the bus-range property,
> +   defaulting to zero.
> +
> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
> +   above this port, then phys.hi contains the 8-bit function number as
> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
> +   recommends that firmware only leaves ARI enabled when it knows that the
> +   OS is ARI-aware.
> +
> +Optional properties:
> +
> +- external-facing:
> +   When present, the port is external facing. All bridges and endpoints
> +   downstream of this port are external to the machine.

Maybe include a note about why this is important, ie, we care because
malicious devices may be attached to an external port?  I know you
have that in the commit log but it would be more visible here.

Elsewhere you use "external-facing", here too for consistency?

> +Example:
> +
> +pcie@10000000 {
> +	compatible = "pci-host-ecam-generic";
> +	...
> +	pcie@0008 {
> +		/* Root port 00:01.0 is external-facing */
> +		reg = <0x00000800 0 0 0 0>;
> +		external-facing;
> +	};
> +};
> -- 
> 2.21.0
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
> Provide a way for the firmware to tell the OS which devices are external
> to the machine and therefore untrusted. The property can describe for
> example thunderbolt and other hot-pluggable ports, which should always
> have the strongest IOMMU protection.

s/thunderbolt/Thunderbolt/

I think the important bit is that the port is user-accessible, whether
it is hot-pluggable or not, right?

I think I'm OK with this from a PCI perspective.

> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>  1 file changed, 47 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
> index c77981c5dd18..55cdbc5d2804 100644
> --- a/Documentation/devicetree/bindings/pci/pci.txt
> +++ b/Documentation/devicetree/bindings/pci/pci.txt
> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>     unsupported link speed, for instance, trying to do training for
>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>     for gen2, and '1' for gen1. Any other values are invalid.
> +
> +PCI-PCI Bridge properties
> +-------------------------
> +
> +Root ports and switch ports may be described explicitly in the device

Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
to both conventional PCI and PCIe?

> +tree, as children of the host bridge node. Even though those devices are
> +discoverable by probing, it might be necessary to describe properties that
> +aren't provided by standard PCIe capabilities.
> +
> +Required properties:
> +
> +- reg:
> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
> +   document, it is a five-cell address encoded as (phys.hi phys.mid
> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
> +
> +   The bus number is defined by firmware, through the standard bridge
> +   configuration mechanism. If this port is a switch port, then firmware
> +   allocates the bus number and writes it into the Secondary Bus Number
> +   register of the bridge directly above this port. Otherwise, the bus
> +   number of a root port is the first number in the bus-range property,
> +   defaulting to zero.
> +
> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
> +   above this port, then phys.hi contains the 8-bit function number as
> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
> +   recommends that firmware only leaves ARI enabled when it knows that the
> +   OS is ARI-aware.
> +
> +Optional properties:
> +
> +- external-facing:
> +   When present, the port is external facing. All bridges and endpoints
> +   downstream of this port are external to the machine.

Maybe include a note about why this is important, ie, we care because
malicious devices may be attached to an external port?  I know you
have that in the commit log but it would be more visible here.

Elsewhere you use "external-facing", here too for consistency?

> +Example:
> +
> +pcie@10000000 {
> +	compatible = "pci-host-ecam-generic";
> +	...
> +	pcie@0008 {
> +		/* Root port 00:01.0 is external-facing */
> +		reg = <0x00000800 0 0 0 0>;
> +		external-facing;
> +	};
> +};
> -- 
> 2.21.0
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
> Provide a way for the firmware to tell the OS which devices are external
> to the machine and therefore untrusted. The property can describe for
> example thunderbolt and other hot-pluggable ports, which should always
> have the strongest IOMMU protection.

s/thunderbolt/Thunderbolt/

I think the important bit is that the port is user-accessible, whether
it is hot-pluggable or not, right?

I think I'm OK with this from a PCI perspective.

> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>  1 file changed, 47 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
> index c77981c5dd18..55cdbc5d2804 100644
> --- a/Documentation/devicetree/bindings/pci/pci.txt
> +++ b/Documentation/devicetree/bindings/pci/pci.txt
> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>     unsupported link speed, for instance, trying to do training for
>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>     for gen2, and '1' for gen1. Any other values are invalid.
> +
> +PCI-PCI Bridge properties
> +-------------------------
> +
> +Root ports and switch ports may be described explicitly in the device

Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
to both conventional PCI and PCIe?

> +tree, as children of the host bridge node. Even though those devices are
> +discoverable by probing, it might be necessary to describe properties that
> +aren't provided by standard PCIe capabilities.
> +
> +Required properties:
> +
> +- reg:
> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
> +   document, it is a five-cell address encoded as (phys.hi phys.mid
> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
> +
> +   The bus number is defined by firmware, through the standard bridge
> +   configuration mechanism. If this port is a switch port, then firmware
> +   allocates the bus number and writes it into the Secondary Bus Number
> +   register of the bridge directly above this port. Otherwise, the bus
> +   number of a root port is the first number in the bus-range property,
> +   defaulting to zero.
> +
> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
> +   above this port, then phys.hi contains the 8-bit function number as
> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
> +   recommends that firmware only leaves ARI enabled when it knows that the
> +   OS is ARI-aware.
> +
> +Optional properties:
> +
> +- external-facing:
> +   When present, the port is external facing. All bridges and endpoints
> +   downstream of this port are external to the machine.

Maybe include a note about why this is important, ie, we care because
malicious devices may be attached to an external port?  I know you
have that in the commit log but it would be more visible here.

Elsewhere you use "external-facing", here too for consistency?

> +Example:
> +
> +pcie@10000000 {
> +	compatible = "pci-host-ecam-generic";
> +	...
> +	pcie@0008 {
> +		/* Root port 00:01.0 is external-facing */
> +		reg = <0x00000800 0 0 0 0>;
> +		external-facing;
> +	};
> +};
> -- 
> 2.21.0
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

On 20/03/2019 22:03, Bjorn Helgaas wrote:
> On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
>> Provide a way for the firmware to tell the OS which devices are external
>> to the machine and therefore untrusted. The property can describe for
>> example thunderbolt and other hot-pluggable ports, which should always
>> have the strongest IOMMU protection.
> 
> s/thunderbolt/Thunderbolt/
> 
> I think the important bit is that the port is user-accessible, whether
> it is hot-pluggable or not, right?

Yes, I'll change this

> 
> I think I'm OK with this from a PCI perspective.
> 
>> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
>> ---
>>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>>  1 file changed, 47 insertions(+)
>>
>> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
>> index c77981c5dd18..55cdbc5d2804 100644
>> --- a/Documentation/devicetree/bindings/pci/pci.txt
>> +++ b/Documentation/devicetree/bindings/pci/pci.txt
>> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>>     unsupported link speed, for instance, trying to do training for
>>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>>     for gen2, and '1' for gen1. Any other values are invalid.
>> +
>> +PCI-PCI Bridge properties
>> +-------------------------
>> +
>> +Root ports and switch ports may be described explicitly in the device
> 
> Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
> to both conventional PCI and PCIe?

Ok

> 
>> +tree, as children of the host bridge node. Even though those devices are
>> +discoverable by probing, it might be necessary to describe properties that
>> +aren't provided by standard PCIe capabilities.
>> +
>> +Required properties:
>> +
>> +- reg:
>> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
>> +   document, it is a five-cell address encoded as (phys.hi phys.mid
>> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
>> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
>> +
>> +   The bus number is defined by firmware, through the standard bridge
>> +   configuration mechanism. If this port is a switch port, then firmware
>> +   allocates the bus number and writes it into the Secondary Bus Number
>> +   register of the bridge directly above this port. Otherwise, the bus
>> +   number of a root port is the first number in the bus-range property,
>> +   defaulting to zero.
>> +
>> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
>> +   above this port, then phys.hi contains the 8-bit function number as
>> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
>> +   recommends that firmware only leaves ARI enabled when it knows that the
>> +   OS is ARI-aware.
>> +
>> +Optional properties:
>> +
>> +- external-facing:
>> +   When present, the port is external facing. All bridges and endpoints
>> +   downstream of this port are external to the machine.
> 
> Maybe include a note about why this is important, ie, we care because
> malicious devices may be attached to an external port?  I know you
> have that in the commit log but it would be more visible here.
> 
> Elsewhere you use "external-facing", here too for consistency?

Makes sense, I'll add a note. I currently have:

- external-facing:
   When present, the port is external-facing. All bridges and endpoints
   downstream of this port are external to the machine. The OS can, for
   example, use this information to identify devices that cannot be
   trusted with relaxed DMA protection, as users could easily attach
   malicious devices to this port.

Thanks for reviewing, I'll resend shortly

Jean

> 
>> +Example:
>> +
>> +pcie@10000000 {
>> +	compatible = "pci-host-ecam-generic";
>> +	...
>> +	pcie@0008 {
>> +		/* Root port 00:01.0 is external-facing */
>> +		reg = <0x00000800 0 0 0 0>;
>> +		external-facing;
>> +	};
>> +};
>> -- 
>> 2.21.0
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
> 

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

On 20/03/2019 22:03, Bjorn Helgaas wrote:
> On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
>> Provide a way for the firmware to tell the OS which devices are external
>> to the machine and therefore untrusted. The property can describe for
>> example thunderbolt and other hot-pluggable ports, which should always
>> have the strongest IOMMU protection.
> 
> s/thunderbolt/Thunderbolt/
> 
> I think the important bit is that the port is user-accessible, whether
> it is hot-pluggable or not, right?

Yes, I'll change this

> 
> I think I'm OK with this from a PCI perspective.
> 
>> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
>> ---
>>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>>  1 file changed, 47 insertions(+)
>>
>> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
>> index c77981c5dd18..55cdbc5d2804 100644
>> --- a/Documentation/devicetree/bindings/pci/pci.txt
>> +++ b/Documentation/devicetree/bindings/pci/pci.txt
>> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>>     unsupported link speed, for instance, trying to do training for
>>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>>     for gen2, and '1' for gen1. Any other values are invalid.
>> +
>> +PCI-PCI Bridge properties
>> +-------------------------
>> +
>> +Root ports and switch ports may be described explicitly in the device
> 
> Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
> to both conventional PCI and PCIe?

Ok

> 
>> +tree, as children of the host bridge node. Even though those devices are
>> +discoverable by probing, it might be necessary to describe properties that
>> +aren't provided by standard PCIe capabilities.
>> +
>> +Required properties:
>> +
>> +- reg:
>> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
>> +   document, it is a five-cell address encoded as (phys.hi phys.mid
>> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
>> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
>> +
>> +   The bus number is defined by firmware, through the standard bridge
>> +   configuration mechanism. If this port is a switch port, then firmware
>> +   allocates the bus number and writes it into the Secondary Bus Number
>> +   register of the bridge directly above this port. Otherwise, the bus
>> +   number of a root port is the first number in the bus-range property,
>> +   defaulting to zero.
>> +
>> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
>> +   above this port, then phys.hi contains the 8-bit function number as
>> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
>> +   recommends that firmware only leaves ARI enabled when it knows that the
>> +   OS is ARI-aware.
>> +
>> +Optional properties:
>> +
>> +- external-facing:
>> +   When present, the port is external facing. All bridges and endpoints
>> +   downstream of this port are external to the machine.
> 
> Maybe include a note about why this is important, ie, we care because
> malicious devices may be attached to an external port?  I know you
> have that in the commit log but it would be more visible here.
> 
> Elsewhere you use "external-facing", here too for consistency?

Makes sense, I'll add a note. I currently have:

- external-facing:
   When present, the port is external-facing. All bridges and endpoints
   downstream of this port are external to the machine. The OS can, for
   example, use this information to identify devices that cannot be
   trusted with relaxed DMA protection, as users could easily attach
   malicious devices to this port.

Thanks for reviewing, I'll resend shortly

Jean

> 
>> +Example:
>> +
>> +pcie@10000000 {
>> +	compatible = "pci-host-ecam-generic";
>> +	...
>> +	pcie@0008 {
>> +		/* Root port 00:01.0 is external-facing */
>> +		reg = <0x00000800 0 0 0 0>;
>> +		external-facing;
>> +	};
>> +};
>> -- 
>> 2.21.0
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
> 


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

On 20/03/2019 22:03, Bjorn Helgaas wrote:
> On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:
>> Provide a way for the firmware to tell the OS which devices are external
>> to the machine and therefore untrusted. The property can describe for
>> example thunderbolt and other hot-pluggable ports, which should always
>> have the strongest IOMMU protection.
> 
> s/thunderbolt/Thunderbolt/
> 
> I think the important bit is that the port is user-accessible, whether
> it is hot-pluggable or not, right?

Yes, I'll change this

> 
> I think I'm OK with this from a PCI perspective.
> 
>> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
>> ---
>>  Documentation/devicetree/bindings/pci/pci.txt | 47 +++++++++++++++++++
>>  1 file changed, 47 insertions(+)
>>
>> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
>> index c77981c5dd18..55cdbc5d2804 100644
>> --- a/Documentation/devicetree/bindings/pci/pci.txt
>> +++ b/Documentation/devicetree/bindings/pci/pci.txt
>> @@ -24,3 +24,50 @@ driver implementation may support the following properties:
>>     unsupported link speed, for instance, trying to do training for
>>     unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>>     for gen2, and '1' for gen1. Any other values are invalid.
>> +
>> +PCI-PCI Bridge properties
>> +-------------------------
>> +
>> +Root ports and switch ports may be described explicitly in the device
> 
> Maybe "PCIe root ports and switch ports" since pci.txt seems to apply
> to both conventional PCI and PCIe?

Ok

> 
>> +tree, as children of the host bridge node. Even though those devices are
>> +discoverable by probing, it might be necessary to describe properties that
>> +aren't provided by standard PCIe capabilities.
>> +
>> +Required properties:
>> +
>> +- reg:
>> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
>> +   document, it is a five-cell address encoded as (phys.hi phys.mid
>> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
>> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
>> +
>> +   The bus number is defined by firmware, through the standard bridge
>> +   configuration mechanism. If this port is a switch port, then firmware
>> +   allocates the bus number and writes it into the Secondary Bus Number
>> +   register of the bridge directly above this port. Otherwise, the bus
>> +   number of a root port is the first number in the bus-range property,
>> +   defaulting to zero.
>> +
>> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
>> +   above this port, then phys.hi contains the 8-bit function number as
>> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
>> +   recommends that firmware only leaves ARI enabled when it knows that the
>> +   OS is ARI-aware.
>> +
>> +Optional properties:
>> +
>> +- external-facing:
>> +   When present, the port is external facing. All bridges and endpoints
>> +   downstream of this port are external to the machine.
> 
> Maybe include a note about why this is important, ie, we care because
> malicious devices may be attached to an external port?  I know you
> have that in the commit log but it would be more visible here.
> 
> Elsewhere you use "external-facing", here too for consistency?

Makes sense, I'll add a note. I currently have:

- external-facing:
   When present, the port is external-facing. All bridges and endpoints
   downstream of this port are external to the machine. The OS can, for
   example, use this information to identify devices that cannot be
   trusted with relaxed DMA protection, as users could easily attach
   malicious devices to this port.

Thanks for reviewing, I'll resend shortly

Jean

> 
>> +Example:
>> +
>> +pcie@10000000 {
>> +	compatible = "pci-host-ecam-generic";
>> +	...
>> +	pcie@0008 {
>> +		/* Root port 00:01.0 is external-facing */
>> +		reg = <0x00000800 0 0 0 0>;
>> +		external-facing;
>> +	};
>> +};
>> -- 
>> 2.21.0
>>
>>
>> _______________________________________________
>> linux-arm-kernel mailing list
>> linux-arm-kernel@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
> 

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 25, 2019 at 12:59:48PM +0000, Jean-Philippe Brucker wrote:
> On 20/03/2019 22:03, Bjorn Helgaas wrote:
> > On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:

> >> +- external-facing:
> >> +   When present, the port is external facing. All bridges and endpoints
> >> +   downstream of this port are external to the machine.
> > 
> > Maybe include a note about why this is important, ie, we care because
> > malicious devices may be attached to an external port?  I know you
> > have that in the commit log but it would be more visible here.
> > 
> > Elsewhere you use "external-facing", here too for consistency?
> 
> Makes sense, I'll add a note. I currently have:
> 
> - external-facing:
>    When present, the port is external-facing. All bridges and endpoints
>    downstream of this port are external to the machine. The OS can, for
>    example, use this information to identify devices that cannot be
>    trusted with relaxed DMA protection, as users could easily attach
>    malicious devices to this port.

Looks good to me!

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 25, 2019 at 12:59:48PM +0000, Jean-Philippe Brucker wrote:
> On 20/03/2019 22:03, Bjorn Helgaas wrote:
> > On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:

> >> +- external-facing:
> >> +   When present, the port is external facing. All bridges and endpoints
> >> +   downstream of this port are external to the machine.
> > 
> > Maybe include a note about why this is important, ie, we care because
> > malicious devices may be attached to an external port?  I know you
> > have that in the commit log but it would be more visible here.
> > 
> > Elsewhere you use "external-facing", here too for consistency?
> 
> Makes sense, I'll add a note. I currently have:
> 
> - external-facing:
>    When present, the port is external-facing. All bridges and endpoints
>    downstream of this port are external to the machine. The OS can, for
>    example, use this information to identify devices that cannot be
>    trusted with relaxed DMA protection, as users could easily attach
>    malicious devices to this port.

Looks good to me!

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH 1/2] dt-bindings: Add external-facing PCIe port property

[Bjorn Helgaas]

On Mon, Mar 25, 2019 at 12:59:48PM +0000, Jean-Philippe Brucker wrote:
> On 20/03/2019 22:03, Bjorn Helgaas wrote:
> > On Mon, Mar 18, 2019 at 06:21:23PM +0000, Jean-Philippe Brucker wrote:

> >> +- external-facing:
> >> +   When present, the port is external facing. All bridges and endpoints
> >> +   downstream of this port are external to the machine.
> > 
> > Maybe include a note about why this is important, ie, we care because
> > malicious devices may be attached to an external port?  I know you
> > have that in the commit log but it would be more visible here.
> > 
> > Elsewhere you use "external-facing", here too for consistency?
> 
> Makes sense, I'll add a note. I currently have:
> 
> - external-facing:
>    When present, the port is external-facing. All bridges and endpoints
>    downstream of this port are external to the machine. The OS can, for
>    example, use this information to identify devices that cannot be
>    trusted with relaxed DMA protection, as users could easily attach
>    malicious devices to this port.

Looks good to me!

[PATCH 2/2] PCI: OF: Support external-facing property

[Jean-Philippe Brucker]

Set the "untrusted" attribute to any PCIe port that has an
"external-facing" device tree property. Any device downstream of this
port will inherit the attribute and have only the strictest IOMMU
protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 drivers/pci/of.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/of.c b/drivers/pci/of.c
index 3d32da15c215..3e7ac7748d90 100644
--- a/drivers/pci/of.c
+++ b/drivers/pci/of.c
@@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
 		bus->dev.of_node = pcibios_get_phb_of_node(bus);
 	else
 		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
+
+	if (of_get_property(bus->dev.of_node, "external-facing", NULL))
+		bus->self->untrusted = true;
 }
 
 void pci_release_bus_of_node(struct pci_bus *bus)
-- 
2.21.0

[PATCH 2/2] PCI: OF: Support external-facing property

[Jean-Philippe Brucker]

Set the "untrusted" attribute to any PCIe port that has an
"external-facing" device tree property. Any device downstream of this
port will inherit the attribute and have only the strictest IOMMU
protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 drivers/pci/of.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/of.c b/drivers/pci/of.c
index 3d32da15c215..3e7ac7748d90 100644
--- a/drivers/pci/of.c
+++ b/drivers/pci/of.c
@@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
 		bus->dev.of_node = pcibios_get_phb_of_node(bus);
 	else
 		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
+
+	if (of_get_property(bus->dev.of_node, "external-facing", NULL))
+		bus->self->untrusted = true;
 }
 
 void pci_release_bus_of_node(struct pci_bus *bus)
-- 
2.21.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH 2/2] PCI: OF: Support external-facing property

[Jean-Philippe Brucker]

Set the "untrusted" attribute to any PCIe port that has an
"external-facing" device tree property. Any device downstream of this
port will inherit the attribute and have only the strictest IOMMU
protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 drivers/pci/of.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/of.c b/drivers/pci/of.c
index 3d32da15c215..3e7ac7748d90 100644
--- a/drivers/pci/of.c
+++ b/drivers/pci/of.c
@@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
 		bus->dev.of_node = pcibios_get_phb_of_node(bus);
 	else
 		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
+
+	if (of_get_property(bus->dev.of_node, "external-facing", NULL))
+		bus->self->untrusted = true;
 }
 
 void pci_release_bus_of_node(struct pci_bus *bus)
-- 
2.21.0