linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
From: Will Deacon <will@kernel.org>
To: Thierry Reding <thierry.reding@gmail.com>
Cc: Marc Gonzalez <marc.w.gonzalez@free.fr>,
	Joerg Roedel <joro@8bytes.org>, Will Deacon <will.deacon@arm.com>,
	Douglas Anderson <dianders@chromium.org>,
	Jon Hunter <jonathanh@nvidia.com>,
	linux-tegra@vger.kernel.org, Robin Murphy <robin.murphy@arm.com>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default
Date: Mon, 19 Aug 2019 13:09:18 +0100	[thread overview]
Message-ID: <20190819120917.hysyc6l3ckkwcx25@willie-the-truck> (raw)
In-Reply-To: <20190819112856.GA28102@ulmo>

On Mon, Aug 19, 2019 at 01:28:56PM +0200, Thierry Reding wrote:
> Perhaps an alternative would be to add a property to the SMMU node that
> lists a set of stream IDs for which to enable bypass by default. We
> could let the firmware set that when the display hardware has been set
> up. That way when the kernel boots we can keep scanning from the
> reserved memory and the ARM SMMU driver would not disable bypass for the
> display hardware. Only when the display hardware is actually attached to
> the IOMMU domain, and the 1:1 mappings have been created would bypass be
> disabled, and at that point there should be no SMMU faults anymore, so
> we have cleanly transitioned to the kernel.
> 
> Any thoughts?

There is currently an extension to IORT under discussion which should
address this problem, so it would make a lot of sense for the DT solution
to follow the same approach. I think it will end up being along the lines
that you suggest, although we won't just enable bypass because that leaves
memory wide open if the device driver doesn't probe and it also creates
an issue because device attach typically happens before the endpoint
driver has probed.

So the flow would look something like:

	- Firmware describes a physical region of memory which must be
	  reserved by the OS.

	- Additionally, firmware describes a master -> reserved memory
	  linkage as part of the IOMMU description.

	- When the IOMMU probes, these reserved memory regions will be
	  mapped 1:1 for the relevant master.

This is similar to RMRR on x86, except that the mappings are intended to
be less rigid and can be torn down if the endpoint driver decides to do
that or for things like device passthrough.

If we get that working, we should update our booting.txt so that DMA is
allowed during boot in the limited cases which this covers.

Will

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2019-08-19 12:09 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-01 19:20 [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default Douglas Anderson
2019-03-20 15:48 ` Marc Gonzalez
2019-03-20 18:35   ` Robin Murphy
2019-04-02 15:42 ` Marc Gonzalez
2019-04-04 15:00 ` Will Deacon
2019-04-24 11:36   ` Marc Gonzalez
2019-04-24 11:52     ` Will Deacon
2019-05-02 10:59       ` Thierry Reding
2019-05-02 11:08         ` Will Deacon
2019-05-02 12:45           ` Thierry Reding
2019-05-02 14:08             ` Will Deacon
2019-05-02 14:27             ` Robin Murphy
2019-08-19 11:28               ` Thierry Reding
2019-08-19 12:09                 ` Will Deacon [this message]
2019-08-19 13:33                   ` Thierry Reding
2019-08-19 14:48                     ` Will Deacon
2019-08-20 13:55                       ` Marc Gonzalez
2019-08-20 14:10                         ` Robin Murphy
2019-10-03 18:27 ` Tim Harvey
2019-10-03 20:42   ` Robin Murphy
2019-10-03 20:51     ` Tim Harvey
2019-10-03 22:24       ` Robin Murphy
2019-10-04 15:23         ` Tim Harvey
2019-10-04 16:36           ` Robin Murphy
2019-10-04 17:13             ` Tim Harvey
2019-10-04 18:34               ` Robin Murphy
2019-10-04 20:37                 ` Tim Harvey
2019-10-04 23:27                   ` Robin Murphy
2019-10-24 16:56                     ` Tim Harvey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190819120917.hysyc6l3ckkwcx25@willie-the-truck \
    --to=will@kernel.org \
    --cc=dianders@chromium.org \
    --cc=jonathanh@nvidia.com \
    --cc=joro@8bytes.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-tegra@vger.kernel.org \
    --cc=marc.w.gonzalez@free.fr \
    --cc=robin.murphy@arm.com \
    --cc=thierry.reding@gmail.com \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).