From: Baolu Lu <baolu.lu@linux.intel.com> To: Jason Gunthorpe <jgg@nvidia.com> Cc: baolu.lu@linux.intel.com, Joerg Roedel <joro@8bytes.org>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>, Paolo Bonzini <pbonzini@redhat.com>, David Airlie <airlied@linux.ie>, Jani Nikula <jani.nikula@linux.intel.com>, Joonas Lahtinen <joonas.lahtinen@linux.intel.com>, Rodrigo Vivi <rodrigo.vivi@intel.com>, Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>, Daniel Vetter <daniel@ffwll.ch>, Kevin Tian <kevin.tian@intel.com>, Ashok Raj <ashok.raj@intel.com>, Liu Yi L <yi.l.liu@intel.com>, Jacob Pan <jacob.jun.pan@linux.intel.com>, Ning Sun <ning.sun@intel.com>, Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>, Christoph Hellwig <hch@lst.de>, Steve Wahl <steve.wahl@hpe.com>, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 6/7] x86/boot/tboot: Move tboot_force_iommu() to Intel IOMMU Date: Wed, 18 May 2022 15:38:08 +0800 [thread overview] Message-ID: <efab101f-14e2-ab5c-810d-c355aebaad52@linux.intel.com> (raw) In-Reply-To: <20220517111350.GR1343366@nvidia.com> On 2022/5/17 19:13, Jason Gunthorpe wrote: > On Tue, May 17, 2022 at 10:05:43AM +0800, Baolu Lu wrote: >> Hi Jason, >> >> On 2022/5/17 02:06, Jason Gunthorpe wrote: >>>> +static __init int tboot_force_iommu(void) >>>> +{ >>>> + if (!tboot_enabled()) >>>> + return 0; >>>> + >>>> + if (no_iommu || dmar_disabled) >>>> + pr_warn("Forcing Intel-IOMMU to enabled\n"); >>> Unrelated, but when we are in the special secure IOMMU modes, do we >>> force ATS off? Specifically does the IOMMU reject TLPs that are marked >>> as translated? >> >> Good question. From IOMMU point of view, I don't see a point to force >> ATS off, but trust boot involves lots of other things that I am not >> familiar with. Anybody else could help to answer? > > ATS is inherently not secure, if a rouge device can issue a TLP with > the translated bit set then it has unlimited access to host memory. Agreed. The current logic is that the platform lets the OS know such devices through firmware (ACPI/DT) and OS sets the untrusted flag in their device structures. The IOMMU subsystem will disable ATS on devices with the untrusted flag set. There is some discussion about allowing the supervisor users to set the trust policy through the sysfs ABI, but I don't think this has happened in upstream kernel. > Many of these trusted iommu scenarios rely on the idea that a rouge > device cannot DMA to arbitary system memory. I am not sure whether tboot has the same requirement. Best regards, baolu
WARNING: multiple messages have this Message-ID (diff)
From: Baolu Lu <baolu.lu@linux.intel.com> To: Jason Gunthorpe <jgg@nvidia.com> Cc: Steve Wahl <steve.wahl@hpe.com>, David Airlie <airlied@linux.ie>, Joonas Lahtinen <joonas.lahtinen@linux.intel.com>, Paolo Bonzini <pbonzini@redhat.com>, Will Deacon <will@kernel.org>, Christoph Hellwig <hch@lst.de>, Ashok Raj <ashok.raj@intel.com>, Ingo Molnar <mingo@redhat.com>, Kevin Tian <kevin.tian@intel.com>, Jani Nikula <jani.nikula@linux.intel.com>, Ning Sun <ning.sun@intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, Rodrigo Vivi <rodrigo.vivi@intel.com>, Thomas Gleixner <tglx@linutronix.de>, Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>, linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org, Daniel Vetter <daniel@ffwll.ch>, Borislav Petkov <bp@alien8.de>, Robin Murphy <robin.murphy@arm.com> Subject: Re: [PATCH 6/7] x86/boot/tboot: Move tboot_force_iommu() to Intel IOMMU Date: Wed, 18 May 2022 15:38:08 +0800 [thread overview] Message-ID: <efab101f-14e2-ab5c-810d-c355aebaad52@linux.intel.com> (raw) In-Reply-To: <20220517111350.GR1343366@nvidia.com> On 2022/5/17 19:13, Jason Gunthorpe wrote: > On Tue, May 17, 2022 at 10:05:43AM +0800, Baolu Lu wrote: >> Hi Jason, >> >> On 2022/5/17 02:06, Jason Gunthorpe wrote: >>>> +static __init int tboot_force_iommu(void) >>>> +{ >>>> + if (!tboot_enabled()) >>>> + return 0; >>>> + >>>> + if (no_iommu || dmar_disabled) >>>> + pr_warn("Forcing Intel-IOMMU to enabled\n"); >>> Unrelated, but when we are in the special secure IOMMU modes, do we >>> force ATS off? Specifically does the IOMMU reject TLPs that are marked >>> as translated? >> >> Good question. From IOMMU point of view, I don't see a point to force >> ATS off, but trust boot involves lots of other things that I am not >> familiar with. Anybody else could help to answer? > > ATS is inherently not secure, if a rouge device can issue a TLP with > the translated bit set then it has unlimited access to host memory. Agreed. The current logic is that the platform lets the OS know such devices through firmware (ACPI/DT) and OS sets the untrusted flag in their device structures. The IOMMU subsystem will disable ATS on devices with the untrusted flag set. There is some discussion about allowing the supervisor users to set the trust policy through the sysfs ABI, but I don't think this has happened in upstream kernel. > Many of these trusted iommu scenarios rely on the idea that a rouge > device cannot DMA to arbitary system memory. I am not sure whether tboot has the same requirement. Best regards, baolu _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2022-05-18 7:38 UTC|newest] Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-05-14 1:43 [PATCH 0/7] iommu/vt-d: Make intel-iommu.h private Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-14 1:43 ` [PATCH 1/7] iommu/vt-d: Move trace/events/intel_iommu.h under iommu Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:04 ` Jason Gunthorpe 2022-05-16 18:04 ` Jason Gunthorpe via iommu 2022-05-14 1:43 ` [PATCH 2/7] agp/intel: Use per device iommu check Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:04 ` Jason Gunthorpe 2022-05-16 18:04 ` Jason Gunthorpe via iommu 2022-05-14 1:43 ` [PATCH 3/7] iommu/vt-d: Remove unnecessary exported symbol Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:04 ` Jason Gunthorpe 2022-05-16 18:04 ` Jason Gunthorpe via iommu 2022-05-14 1:43 ` [PATCH 4/7] drm/i915: Remove unnecessary include Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 7:28 ` Jani Nikula 2022-05-16 7:28 ` Jani Nikula 2022-05-16 18:04 ` Jason Gunthorpe 2022-05-16 18:04 ` Jason Gunthorpe via iommu 2022-05-14 1:43 ` [PATCH 5/7] KVM: x86: " Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:05 ` Jason Gunthorpe 2022-05-16 18:05 ` Jason Gunthorpe via iommu 2022-05-14 1:43 ` [PATCH 6/7] x86/boot/tboot: Move tboot_force_iommu() to Intel IOMMU Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:06 ` Jason Gunthorpe 2022-05-16 18:06 ` Jason Gunthorpe via iommu 2022-05-16 22:58 ` Jacob Pan 2022-05-16 22:58 ` Jacob Pan 2022-05-17 2:05 ` Baolu Lu 2022-05-17 2:05 ` Baolu Lu 2022-05-17 11:13 ` Jason Gunthorpe 2022-05-17 11:13 ` Jason Gunthorpe via iommu 2022-05-18 7:38 ` Baolu Lu [this message] 2022-05-18 7:38 ` Baolu Lu 2022-05-14 1:43 ` [PATCH 7/7] iommu/vt-d: Move include/linux/intel_iommu.h under iommu Lu Baolu 2022-05-14 1:43 ` Lu Baolu 2022-05-16 18:06 ` Jason Gunthorpe 2022-05-16 18:06 ` Jason Gunthorpe via iommu 2022-05-16 5:54 ` [PATCH 0/7] iommu/vt-d: Make intel-iommu.h private Christoph Hellwig 2022-05-16 5:54 ` Christoph Hellwig 2022-05-18 18:41 ` Steve Wahl 2022-05-18 18:41 ` Steve Wahl
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=efab101f-14e2-ab5c-810d-c355aebaad52@linux.intel.com \ --to=baolu.lu@linux.intel.com \ --cc=airlied@linux.ie \ --cc=ashok.raj@intel.com \ --cc=bp@alien8.de \ --cc=daniel@ffwll.ch \ --cc=dave.hansen@linux.intel.com \ --cc=hch@lst.de \ --cc=iommu@lists.linux-foundation.org \ --cc=jacob.jun.pan@linux.intel.com \ --cc=jani.nikula@linux.intel.com \ --cc=jgg@nvidia.com \ --cc=joonas.lahtinen@linux.intel.com \ --cc=joro@8bytes.org \ --cc=kevin.tian@intel.com \ --cc=linux-kernel@vger.kernel.org \ --cc=mingo@redhat.com \ --cc=ning.sun@intel.com \ --cc=pbonzini@redhat.com \ --cc=robin.murphy@arm.com \ --cc=rodrigo.vivi@intel.com \ --cc=steve.wahl@hpe.com \ --cc=tglx@linutronix.de \ --cc=tvrtko.ursulin@linux.intel.com \ --cc=will@kernel.org \ --cc=yi.l.liu@intel.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.