[PATCH 2/6] drivers: base: Add bits to struct device to control iommu strictness

From: Douglas Anderson <dianders@chromium.org>
To: gregkh@linuxfoundation.org, rafael@kernel.org,
	rafael.j.wysocki@intel.com, will@kernel.org,
	robin.murphy@arm.com, joro@8bytes.org,
	bjorn.andersson@linaro.org, ulf.hansson@linaro.org,
	adrian.hunter@intel.com, bhelgaas@google.com
Cc: robdclark@chromium.org, linux-arm-msm@vger.kernel.org,
	linux-pci@vger.kernel.org, quic_c_gdjako@quicinc.com,
	iommu@lists.linux-foundation.org, sonnyrao@chromium.org,
	saiprakash.ranjan@codeaurora.org, linux-mmc@vger.kernel.org,
	vbadigan@codeaurora.org, rajatja@google.com,
	saravanak@google.com, joel@joelfernandes.org,
	Douglas Anderson <dianders@chromium.org>,
	Bartosz Golaszewski <bgolaszewski@baylibre.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Heikki Krogerus <heikki.krogerus@linux.intel.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-kernel@vger.kernel.org
Subject: [PATCH 2/6] drivers: base: Add bits to struct device to control iommu strictness
Date: Mon, 21 Jun 2021 16:52:44 -0700	[thread overview]
Message-ID: <20210621165230.2.Icfe7cbb2cc86a38dde0ee5ba240e0580a0ec9596@changeid> (raw)
In-Reply-To: <20210621235248.2521620-1-dianders@chromium.org>

How to control the "strictness" of an IOMMU is a bit of a mess right
now. As far as I can tell, right now:
* You can set the default to "non-strict" and some devices (right now,
  only PCI devices) can request to run in "strict" mode.
* You can set the default to "strict" and no devices in the system are
  allowed to run as "non-strict".

I believe this needs to be improved a bit. Specifically:
* We should be able to default to "strict" mode but let devices that
  claim to be fairly low risk request that they be run in "non-strict"
  mode.
* We should allow devices outside of PCIe to request "strict" mode if
  the system default is "non-strict".

I believe the correct way to do this is two bits in "struct
device". One allows a device to force things to "strict" mode and the
other allows a device to _request_ "non-strict" mode. The asymmetry
here is on purpose. Generally if anything in the system makes a
request for strictness of something then we want it strict. Thus
drivers can only request (but not force) non-strictness.

It's expected that the strictness fields can be filled in by the bus
code like in the patch ("PCI: Indicate that we want to force strict
DMA for untrusted devices") or by using the new pre_probe concept
introduced in the patch ("drivers: base: Add the concept of
"pre_probe" to drivers").

Signed-off-by: Douglas Anderson <dianders@chromium.org>
---

 include/linux/device.h | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/linux/device.h b/include/linux/device.h
index f1a00040fa53..c1b985e10c47 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -449,6 +449,15 @@ struct dev_links_info {
  *		and optionall (if the coherent mask is large enough) also
  *		for dma allocations.  This flag is managed by the dma ops
  *		instance from ->dma_supported.
+ * @force_strict_iommu: If set to %true then we should force this device to
+ *			iommu.strict regardless of the other defaults in the
+ *			system. Only has an effect if an IOMMU is in place.
+ * @request_non_strict_iommu: If set to %true and there are no other known
+ *			      reasons to make the iommu.strict for this device,
+ *			      then default to non-strict mode. This implies
+ *			      some belief that the DMA master for this device
+ *			      won't abuse the DMA path to compromise the kernel.
+ *			      Only has an effect if an IOMMU is in place.
  *
  * At the lowest level, every device in a Linux system is represented by an
  * instance of struct device. The device structure contains the information
@@ -557,6 +566,8 @@ struct device {
 #ifdef CONFIG_DMA_OPS_BYPASS
 	bool			dma_ops_bypass : 1;
 #endif
+	bool			force_strict_iommu:1;
+	bool			request_non_strict_iommu:1;
 };
 
 /**
-- 
2.32.0.288.g62a8d224e6-goog

