From: Thierry Reding <thierry.reding@gmail.com>
To: Will Deacon <will.deacon@arm.com>, Joerg Roedel <joro@8bytes.org>
Cc: linux-tegra@vger.kernel.org, Jon Hunter <jonathanh@nvidia.com>,
Douglas Anderson <dianders@chromium.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Marc Gonzalez <marc.w.gonzalez@free.fr>
Subject: Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default
Date: Thu, 2 May 2019 12:59:12 +0200 [thread overview]
Message-ID: <20190502105912.GA943@ulmo> (raw)
In-Reply-To: <20190424115231.GA14829@fuggles.cambridge.arm.com>
[-- Attachment #1.1: Type: text/plain, Size: 2729 bytes --]
On Wed, Apr 24, 2019 at 12:52:31PM +0100, Will Deacon wrote:
> On Wed, Apr 24, 2019 at 01:36:58PM +0200, Marc Gonzalez wrote:
> > On 04/04/2019 17:00, Will Deacon wrote:
> >
> > > On Fri, Mar 01, 2019 at 11:20:17AM -0800, Douglas Anderson wrote:
> > >
> > >> If you're bisecting why your peripherals stopped working, it's
> > >> probably this CL. Specifically if you see this in your dmesg:
> > >> Unexpected global fault, this could be serious
> > >> ...then it's almost certainly this CL.
> > >>
> > >> Running your IOMMU-enabled peripherals with the IOMMU in bypass mode
> > >> is insecure and effectively disables the protection they provide.
> > >> There are few reasons to allow unmatched stream bypass, and even fewer
> > >> good ones.
> > >>
> > >> This patch starts the transition over to make it much harder to run
> > >> your system insecurely. Expected steps:
> > >>
> > >> 1. By default disable bypass (so anyone insecure will notice) but make
> > >> it easy for someone to re-enable bypass with just a KConfig change.
> > >> That's this patch.
> > >>
> > >> 2. After people have had a little time to come to grips with the fact
> > >> that they need to set their IOMMUs properly and have had time to
> > >> dig into how to do this, the KConfig will be eliminated and bypass
> > >> will simply be disabled. Folks who are truly upset and still
> > >> haven't fixed their system can either figure out how to add
> > >> 'arm-smmu.disable_bypass=n' to their command line or revert the
> > >> patch in their own private kernel. Of course these folks will be
> > >> less secure.
> > >>
> > >> Suggested-by: Robin Murphy <robin.murphy@arm.com>
> > >> Signed-off-by: Douglas Anderson <dianders@chromium.org>
> > >> ---
> > >>
> > >> Changes in v2:
> > >> - Flipped default to 'yes' and changed comments a lot.
> > >>
> > >> drivers/iommu/Kconfig | 25 +++++++++++++++++++++++++
> > >> drivers/iommu/arm-smmu.c | 3 ++-
> > >> 2 files changed, 27 insertions(+), 1 deletion(-)
> > >
> > > Cheers, I'll pick this one up for 5.2.
> >
> > Hello Will,
> >
> > You haven't pushed this patch out to linux-next AFAICT.
> >
> > Is that expected?
>
> It's on my branch for Joerg:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git/log/?h=for-joerg/arm-smmu/updates
>
> which I'll send to him today. My SMMU stuff doesn't go directly into -next.
This made it to linux-next yesterday (less than a week before the merge
window opens) and deliberately breaks existing configurations. That's a
little rude.
At least give people a fair heads-up and a chance to fix things before
you start break things.
Thierry
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 176 bytes --]
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-05-02 10:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-01 19:20 [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default Douglas Anderson
2019-03-20 15:48 ` Marc Gonzalez
2019-03-20 18:35 ` Robin Murphy
2019-04-02 15:42 ` Marc Gonzalez
2019-04-04 15:00 ` Will Deacon
2019-04-24 11:36 ` Marc Gonzalez
2019-04-24 11:52 ` Will Deacon
2019-05-02 10:59 ` Thierry Reding [this message]
2019-05-02 11:08 ` Will Deacon
2019-05-02 12:45 ` Thierry Reding
2019-05-02 14:08 ` Will Deacon
2019-05-02 14:27 ` Robin Murphy
2019-08-19 11:28 ` Thierry Reding
2019-08-19 12:09 ` Will Deacon
2019-08-19 13:33 ` Thierry Reding
2019-08-19 14:48 ` Will Deacon
2019-08-20 13:55 ` Marc Gonzalez
2019-08-20 14:10 ` Robin Murphy
2019-10-03 18:27 ` Tim Harvey
2019-10-03 20:42 ` Robin Murphy
2019-10-03 20:51 ` Tim Harvey
2019-10-03 22:24 ` Robin Murphy
2019-10-04 15:23 ` Tim Harvey
2019-10-04 16:36 ` Robin Murphy
2019-10-04 17:13 ` Tim Harvey
2019-10-04 18:34 ` Robin Murphy
2019-10-04 20:37 ` Tim Harvey
2019-10-04 23:27 ` Robin Murphy
2019-10-24 16:56 ` Tim Harvey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190502105912.GA943@ulmo \
--to=thierry.reding@gmail.com \
--cc=dianders@chromium.org \
--cc=jonathanh@nvidia.com \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-tegra@vger.kernel.org \
--cc=marc.w.gonzalez@free.fr \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).