Re: [PATCH] iommu/arm-smmu: Report USF more clearly

From: Robin Murphy <robin.murphy@arm.com>
To: Doug Anderson <dianders@chromium.org>, Will Deacon <will@kernel.org>
Cc: iommu@lists.linux-foundation.org, Joerg Roedel <joro@8bytes.org>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH] iommu/arm-smmu: Report USF more clearly
Date: Mon, 16 Sep 2019 22:42:27 +0100	[thread overview]
Message-ID: <3e52e4e2-fb09-fa39-23be-b225194bd2c5@arm.com> (raw)
In-Reply-To: <CAD=FV=Wx7zSqGSABfnG9B0yAcZvimub+hMcPRfUoFxr-FJeFew@mail.gmail.com>

On 2019-09-16 7:19 pm, Doug Anderson wrote:
[...]
>>> 1. "By firmware" might be a bit misleading.  In most cases I'm aware
>>> of the problem is in the device tree that was bundled together with
>>> the kernel.  If there are actually cases where firmware has baked in a
>>> device tree and it got this wrong then we might want to spend time
>>> figuring out what to do about it.
>>
>> I thought that was usually the way UEFI systems worked, where the kernel
>> is updated independently of the device-tree? Either way, that should be
>> what we're aiming for, even if many platforms require the two to be tied
>> together.
> 
> It's my opinion that until there is a place in the kernel to "fixup"
> broken device trees that were baked in firmware that it's a bad idea
> to ship device trees separate from the kernel except if the device
> trees are exceedingly simple.  We'll run into too many problems
> otherwise, either because the kernel the device tree was written for
> had downstream patches or someone just made a mistake in them and
> nobody noticed.  I know device trees are supposed to be ABI, but
> people make mistakes and we need a way to fix them up.
> 
> ...but that's getting pretty far afield from Robin's patch.

Let's not get too hung up on devicetree - you can go out and buy certain 
ACPI-only platforms today that also fall foul of this, for which AFAIK 
the necessary firmware update is in the SoC vendor's hands.

>>> 2. Presumably booting with "arm-smmu.disable_bypass=0" is in most
>>> cases the least desirable option available.  I always consider kernel
>>> command line parameters as something of a last resort for
>>> configuration and would only be something that and end user might do
>>> if they were given a kernel compiled by someone else (like if someone
>>> where taking a prebuilt Linux distro and trying to install it onto a
>>> generic PC).  Are you seeing cases where this is happening?  If people
>>> are compiling their own kernel I'd argue that telling them to set
>>> "CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT" to "no" is much better
>>> than trying to jam a command line option on.  Command line options
>>> don't scale well.
>>
>> Hmm. Recompiling seems like even more of a last resort to me!
> 
> Depends on what you're doing.  If you're not in the habit of compiling
> a kernel and you're just trying to make one work then the command line
> is great.  If you're trying to manage configuration for a whole bunch
> of different hardware products then the command line is a terrible
> place to store config.
> 
> ...but I guess the summary is that we wouldn't want someone to
> actually ship a kernel with this option on anyway.  ;-)

FWIW the meta here is really "oops, you've just installed a new kernel 
and now your machine is unusable - you need to take it up with whoever 
supports your platform, but in the meantime this is the minimal thing 
you can do to get things back working as before."

Personally I'm less concerned about folks maintaining "hardware 
products", as I'd like to assume they would hit this in QA and have a 
relatively short loop back to kernel people who know what's up (or at 
least know enough to join the dots to punt it to my inbox). My main 
concern is end users of SBSA-ish platforms who are free to pick and 
choose distros - and/or kernel packages within their distro - and thus 
may bugger up their machine inadvertently if the distro package happens 
to have picked this option up from defconfig (from a quick look at least 
my preferred one has).

>>> 3. Any chance you could make it more obvious that this change is
>>> undesirable and a last resort?  AKA:
>>>
>>> "Stream ID x blocked for security reasons; allow anyway by booting
>>> with arm-smmu.disable_bypass=0"
>>
>> How about:
>>
>>    "Blocked transaction from unknown Stream ID x; boot with
>>     \"arm-smmu.disable_bypass=0\" to allow these transactions, although this
>>     may have security implications."
> 
> Fine with me if it's not too long for an error message.

Sounds good, I'll respin with a slight abbreviation of that (and minus 
the embarrassingly stupid thinko) tomorrow.

Cheers,
Robin.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel