From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC3F3C433DB for ; Wed, 10 Feb 2021 16:49:13 +0000 (UTC) Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2F92264DDF for ; Wed, 10 Feb 2021 16:49:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2F92264DDF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-nvdimm-bounces@lists.01.org Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id CC61E100F2271; Wed, 10 Feb 2021 08:49:12 -0800 (PST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=ben.widawsky@intel.com; receiver= Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C3B12100EC1EE for ; Wed, 10 Feb 2021 08:49:07 -0800 (PST) IronPort-SDR: phD/JJbAqBKAN4nzeQGviwnmbj1A9OiXBiRV11KNI5f29kK/pmOXox1ADOyq9SpI0NBjp/LaRt UAvBwJ1hNpfQ== X-IronPort-AV: E=McAfee;i="6000,8403,9891"; a="161859059" X-IronPort-AV: E=Sophos;i="5.81,168,1610438400"; d="scan'208";a="161859059" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2021 08:49:07 -0800 IronPort-SDR: nPop3UUEPWzWG5fYpSunzvTaGuD6gWSniBaNF3DXgUFmgxy8A0z61/KAFosXfm+zC90iYn5hx8 aJeiJSXGNRfA== X-IronPort-AV: E=Sophos;i="5.81,168,1610438400"; d="scan'208";a="396773601" Received: from lgrunes-mobl.amr.corp.intel.com (HELO intel.com) ([10.252.135.4]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2021 08:49:06 -0800 Date: Wed, 10 Feb 2021 08:49:04 -0800 From: Ben Widawsky To: Ariel.Sibley@microchip.com Subject: Re: [PATCH v2 5/8] cxl/mem: Add a "RAW" send command Message-ID: <20210210164904.lfhtfvlyeypfpjhe@intel.com> References: <20210210000259.635748-1-ben.widawsky@intel.com> <20210210000259.635748-6-ben.widawsky@intel.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: Message-ID-Hash: SMAZKEUF4XBEQ7U2R75S3IMQ6A3J7G76 X-Message-ID-Hash: SMAZKEUF4XBEQ7U2R75S3IMQ6A3J7G76 X-MailFrom: ben.widawsky@intel.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation CC: linux-cxl@vger.kernel.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, linux-pci@vger.kernel.org, helgaas@kernel.org, cbrowy@avery-design.com, hch@infradead.org, david@redhat.com, rientjes@google.com, jcm@jonmasters.org, Jonathan.Cameron@huawei.com, rafael.j.wysocki@intel.com, rdunlap@infradead.org, jgroves@micron.com, sean.v.kelley@intel.com X-Mailman-Version: 3.1.1 Precedence: list List-Id: "Linux-nvdimm developer list." Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 21-02-10 15:26:27, Ariel.Sibley@microchip.com wrote: > > diff --git a/drivers/cxl/Kconfig b/drivers/cxl/Kconfig > > index c4ba3aa0a05d..08eaa8e52083 100644 > > --- a/drivers/cxl/Kconfig > > +++ b/drivers/cxl/Kconfig > > @@ -33,6 +33,24 @@ config CXL_MEM > > > > If unsure say 'm'. > > > > +config CXL_MEM_RAW_COMMANDS > > + bool "RAW Command Interface for Memory Devices" > > + depends on CXL_MEM > > + help > > + Enable CXL RAW command interface. > > + > > + The CXL driver ioctl interface may assign a kernel ioctl command > > + number for each specification defined opcode. At any given point in > > + time the number of opcodes that the specification defines and a device > > + may implement may exceed the kernel's set of associated ioctl function > > + numbers. The mismatch is either by omission, specification is too new, > > + or by design. When prototyping new hardware, or developing / > > debugging > > + the driver it is useful to be able to submit any possible command to > > + the hardware, even commands that may crash the kernel due to their > > + potential impact to memory currently in use by the kernel. > > + > > + If developing CXL hardware or the driver say Y, otherwise say N. > > Blocking RAW commands by default will prevent vendors from developing user > space tools that utilize vendor specific commands. Vendors of CXL.mem devices > should take ownership of ensuring any vendor defined commands that could cause > user data to be exposed or corrupted are disabled at the device level for > shipping configurations. Thanks for brining this up Ariel. If there is a recommendation on how to codify this, I would certainly like to know because the explanation will be long. --- The background: The enabling/disabling of the Kconfig option is driven by the distribution and/or system integrator. Even if we made the default 'y', nothing stops them from changing that. if you are using this driver in production and insist on using RAW commands, you are free to carry around a small patch to get rid of the WARN (it is a one-liner). To recap why this is in place - the driver owns the sanctity of the device and therefore a [large] part of the whole system. What we can do as driver writers is figure out the set of commands that are "safe" and allow those. Aside from being able to validate them, we're able to mediate them with other parallel operations that might conflict. We gain the ability to squint extra hard at bug reports. We provide a reason to try to use a well defined part of the spec. Realizing that only allowing that small set of commands in a rapidly growing ecosystem is not a welcoming API; we decided on RAW. Vendor commands can be one of two types: 1. Some functionality probably most vendors want. 2. Functionality that is really single vendor specific. Hopefully we can agree that the path for case #1 is to work with the consortium to standardize a command that does what is needed and that can eventually become part of UAPI. The situation is unfortunate, but temporary. If you won't be able to upgrade your kernel, patch out the WARN as above. The second situation is interesting and does need some more thought and discussion. --- I see 3 realistic options for truly vendor specific commands. 1. Tough noogies. Vendors aren't special and they shouldn't do that. 2. modparam to disable the WARN for specific devices (let the sysadmin decide) 3. Try to make them part of UAPI. The right answer to me is #1, but I also realize I live in the real world. #2 provides too much flexibility. Vendors will just do what they please and distros and/or integrators will be seen as hostile if they don't accommodate. I like #3, but I have a feeling not everyone will agree. My proposal for vendor specific commands is, if it's clear it's truly a unique command, allow adding it as part of UAPI (moving it out of RAW). I expect like 5 of these, ever. If we start getting multiple per vendor, we've failed. The infrastructure is already in place to allow doing this pretty easily. I think we'd have to draw up some guidelines (like adding test cases for the command) to allow these to come in. Anything with command effects is going to need extra scrutiny. In my opinion, as maintainers of the driver, we do owe the community an answer as to our direction for this. Dan, what is your thought? _______________________________________________ Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org To unsubscribe send an email to linux-nvdimm-leave@lists.01.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1180C433DB for ; Wed, 10 Feb 2021 16:51:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 81BB364DD6 for ; Wed, 10 Feb 2021 16:51:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233231AbhBJQvV (ORCPT ); Wed, 10 Feb 2021 11:51:21 -0500 Received: from mga03.intel.com ([134.134.136.65]:53339 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233087AbhBJQtv (ORCPT ); Wed, 10 Feb 2021 11:49:51 -0500 IronPort-SDR: k4QgDAZxiXRIQ1Wx9gufipSaKME6IDYduo92w47UnMqWnpKFwrTq4PpVJDmIAzgXUemmgeoaSo ygbLzyHA6QhQ== X-IronPort-AV: E=McAfee;i="6000,8403,9891"; a="182174754" X-IronPort-AV: E=Sophos;i="5.81,168,1610438400"; d="scan'208";a="182174754" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2021 08:49:06 -0800 IronPort-SDR: nPop3UUEPWzWG5fYpSunzvTaGuD6gWSniBaNF3DXgUFmgxy8A0z61/KAFosXfm+zC90iYn5hx8 aJeiJSXGNRfA== X-IronPort-AV: E=Sophos;i="5.81,168,1610438400"; d="scan'208";a="396773601" Received: from lgrunes-mobl.amr.corp.intel.com (HELO intel.com) ([10.252.135.4]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2021 08:49:06 -0800 Date: Wed, 10 Feb 2021 08:49:04 -0800 From: Ben Widawsky To: Ariel.Sibley@microchip.com Cc: linux-cxl@vger.kernel.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, linux-pci@vger.kernel.org, helgaas@kernel.org, cbrowy@avery-design.com, hch@infradead.org, dan.j.williams@intel.com, david@redhat.com, rientjes@google.com, ira.weiny@intel.com, jcm@jonmasters.org, Jonathan.Cameron@huawei.com, rafael.j.wysocki@intel.com, rdunlap@infradead.org, vishal.l.verma@intel.com, jgroves@micron.com, sean.v.kelley@intel.com Subject: Re: [PATCH v2 5/8] cxl/mem: Add a "RAW" send command Message-ID: <20210210164904.lfhtfvlyeypfpjhe@intel.com> References: <20210210000259.635748-1-ben.widawsky@intel.com> <20210210000259.635748-6-ben.widawsky@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org On 21-02-10 15:26:27, Ariel.Sibley@microchip.com wrote: > > diff --git a/drivers/cxl/Kconfig b/drivers/cxl/Kconfig > > index c4ba3aa0a05d..08eaa8e52083 100644 > > --- a/drivers/cxl/Kconfig > > +++ b/drivers/cxl/Kconfig > > @@ -33,6 +33,24 @@ config CXL_MEM > > > > If unsure say 'm'. > > > > +config CXL_MEM_RAW_COMMANDS > > + bool "RAW Command Interface for Memory Devices" > > + depends on CXL_MEM > > + help > > + Enable CXL RAW command interface. > > + > > + The CXL driver ioctl interface may assign a kernel ioctl command > > + number for each specification defined opcode. At any given point in > > + time the number of opcodes that the specification defines and a device > > + may implement may exceed the kernel's set of associated ioctl function > > + numbers. The mismatch is either by omission, specification is too new, > > + or by design. When prototyping new hardware, or developing / > > debugging > > + the driver it is useful to be able to submit any possible command to > > + the hardware, even commands that may crash the kernel due to their > > + potential impact to memory currently in use by the kernel. > > + > > + If developing CXL hardware or the driver say Y, otherwise say N. > > Blocking RAW commands by default will prevent vendors from developing user > space tools that utilize vendor specific commands. Vendors of CXL.mem devices > should take ownership of ensuring any vendor defined commands that could cause > user data to be exposed or corrupted are disabled at the device level for > shipping configurations. Thanks for brining this up Ariel. If there is a recommendation on how to codify this, I would certainly like to know because the explanation will be long. --- The background: The enabling/disabling of the Kconfig option is driven by the distribution and/or system integrator. Even if we made the default 'y', nothing stops them from changing that. if you are using this driver in production and insist on using RAW commands, you are free to carry around a small patch to get rid of the WARN (it is a one-liner). To recap why this is in place - the driver owns the sanctity of the device and therefore a [large] part of the whole system. What we can do as driver writers is figure out the set of commands that are "safe" and allow those. Aside from being able to validate them, we're able to mediate them with other parallel operations that might conflict. We gain the ability to squint extra hard at bug reports. We provide a reason to try to use a well defined part of the spec. Realizing that only allowing that small set of commands in a rapidly growing ecosystem is not a welcoming API; we decided on RAW. Vendor commands can be one of two types: 1. Some functionality probably most vendors want. 2. Functionality that is really single vendor specific. Hopefully we can agree that the path for case #1 is to work with the consortium to standardize a command that does what is needed and that can eventually become part of UAPI. The situation is unfortunate, but temporary. If you won't be able to upgrade your kernel, patch out the WARN as above. The second situation is interesting and does need some more thought and discussion. --- I see 3 realistic options for truly vendor specific commands. 1. Tough noogies. Vendors aren't special and they shouldn't do that. 2. modparam to disable the WARN for specific devices (let the sysadmin decide) 3. Try to make them part of UAPI. The right answer to me is #1, but I also realize I live in the real world. #2 provides too much flexibility. Vendors will just do what they please and distros and/or integrators will be seen as hostile if they don't accommodate. I like #3, but I have a feeling not everyone will agree. My proposal for vendor specific commands is, if it's clear it's truly a unique command, allow adding it as part of UAPI (moving it out of RAW). I expect like 5 of these, ever. If we start getting multiple per vendor, we've failed. The infrastructure is already in place to allow doing this pretty easily. I think we'd have to draw up some guidelines (like adding test cases for the command) to allow these to come in. Anything with command effects is going to need extra scrutiny. In my opinion, as maintainers of the driver, we do owe the community an answer as to our direction for this. Dan, what is your thought?