[PATCH v2 0/2] PCI: Describe external-facing ports in device tree

[PATCH v2 0/2] PCI: Describe external-facing ports in device tree

[Jean-Philippe Brucker]

Since v1 [1], I improved the wording of patch 1/2 as suggested by Bjorn.

Add an "external-facing" property to PCI ports in device-tree, to help
identify untrusted devices. The notion of untrusted PCI devices was
added to the v5.0 kernel to describe devices that should have strict
IOMMU protection [2], for example devices that are plugged in a
Thunderbolt port. ACPI systems use the ExternalFacingPort property [3].
Add an equivalent mechanism to device tree.

[1] https://lore.kernel.org/linux-pci/20190318182124.53859-1-jean-philippe.brucker@arm.com/
[2] https://lkml.org/lkml/2018/11/26/631
[3] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports

Jean-Philippe Brucker (2):
  dt-bindings: Add external-facing PCIe port property
  PCI: OF: Support external-facing property

 Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
 drivers/pci/of.c                              |  3 ++
 2 files changed, 53 insertions(+)

-- 
2.21.0

[PATCH v2 1/2] dt-bindings: Add external-facing PCIe port property

[Jean-Philippe Brucker]

Provide a way for the firmware to tell the OS which devices are external
to the machine and therefore untrusted. The property can describe for
example Thunderbolt and other user-accessible ports, which should always
have the strongest IOMMU protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
index c77981c5dd18..92c01db610df 100644
--- a/Documentation/devicetree/bindings/pci/pci.txt
+++ b/Documentation/devicetree/bindings/pci/pci.txt
@@ -24,3 +24,53 @@ driver implementation may support the following properties:
    unsupported link speed, for instance, trying to do training for
    unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
    for gen2, and '1' for gen1. Any other values are invalid.
+
+PCI-PCI Bridge properties
+-------------------------
+
+PCIe root ports and switch ports may be described explicitly in the device
+tree, as children of the host bridge node. Even though those devices are
+discoverable by probing, it might be necessary to describe properties that
+aren't provided by standard PCIe capabilities.
+
+Required properties:
+
+- reg:
+   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
+   document, it is a five-cell address encoded as (phys.hi phys.mid
+   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
+   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
+
+   The bus number is defined by firmware, through the standard bridge
+   configuration mechanism. If this port is a switch port, then firmware
+   allocates the bus number and writes it into the Secondary Bus Number
+   register of the bridge directly above this port. Otherwise, the bus
+   number of a root port is the first number in the bus-range property,
+   defaulting to zero.
+
+   If firmware leaves the ARI Forwarding Enable bit set in the bridge
+   above this port, then phys.hi contains the 8-bit function number as
+   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
+   recommends that firmware only leaves ARI enabled when it knows that the
+   OS is ARI-aware.
+
+Optional properties:
+
+- external-facing:
+   When present, the port is external-facing. All bridges and endpoints
+   downstream of this port are external to the machine. The OS can, for
+   example, use this information to identify devices that cannot be
+   trusted with relaxed DMA protection, as users could easily attach
+   malicious devices to this port.
+
+Example:
+
+pcie@10000000 {
+	compatible = "pci-host-ecam-generic";
+	...
+	pcie@0008 {
+		/* Root port 00:01.0 is external-facing */
+		reg = <0x00000800 0 0 0 0>;
+		external-facing;
+	};
+};
-- 
2.21.0

[PATCH v2 2/2] PCI: OF: Support external-facing property

[Jean-Philippe Brucker]

Set the "untrusted" attribute to any PCIe port that has an
"external-facing" device tree property. Any device downstream of this
port will inherit the attribute and have only the strictest IOMMU
protection.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
---
 drivers/pci/of.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/of.c b/drivers/pci/of.c
index 3d32da15c215..3e7ac7748d90 100644
--- a/drivers/pci/of.c
+++ b/drivers/pci/of.c
@@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
 		bus->dev.of_node = pcibios_get_phb_of_node(bus);
 	else
 		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
+
+	if (of_get_property(bus->dev.of_node, "external-facing", NULL))
+		bus->self->untrusted = true;
 }
 
 void pci_release_bus_of_node(struct pci_bus *bus)
-- 
2.21.0

Re: [PATCH v2 2/2] PCI: OF: Support external-facing property

[Bjorn Helgaas]

On Tue, Apr 02, 2019 at 02:15:48PM +0100, Jean-Philippe Brucker wrote:
> Set the "untrusted" attribute to any PCIe port that has an
> "external-facing" device tree property. Any device downstream of this
> port will inherit the attribute and have only the strictest IOMMU
> protection.
> 
> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>

Acked-by: Bjorn Helgaas <bhelgaas@google.com>

Rob, you can take both of these, or ack the first and I'll take them.

> ---
>  drivers/pci/of.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/pci/of.c b/drivers/pci/of.c
> index 3d32da15c215..3e7ac7748d90 100644
> --- a/drivers/pci/of.c
> +++ b/drivers/pci/of.c
> @@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
>  		bus->dev.of_node = pcibios_get_phb_of_node(bus);
>  	else
>  		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
> +
> +	if (of_get_property(bus->dev.of_node, "external-facing", NULL))
> +		bus->self->untrusted = true;
>  }
>  
>  void pci_release_bus_of_node(struct pci_bus *bus)
> -- 
> 2.21.0
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v2 2/2] PCI: OF: Support external-facing property

[Robin Murphy]

On 2019-04-02 2:15 pm, Jean-Philippe Brucker wrote:
> Set the "untrusted" attribute to any PCIe port that has an
> "external-facing" device tree property. Any device downstream of this
> port will inherit the attribute and have only the strictest IOMMU
> protection.
> 
> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>   drivers/pci/of.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/pci/of.c b/drivers/pci/of.c
> index 3d32da15c215..3e7ac7748d90 100644
> --- a/drivers/pci/of.c
> +++ b/drivers/pci/of.c
> @@ -35,6 +35,9 @@ void pci_set_bus_of_node(struct pci_bus *bus)
>   		bus->dev.of_node = pcibios_get_phb_of_node(bus);
>   	else
>   		bus->dev.of_node = of_node_get(bus->self->dev.of_node);
> +
> +	if (of_get_property(bus->dev.of_node, "external-facing", NULL))

You could use of_property_read_bool() for this, but either way,

Reviewed-by: Robin Murphy <robin.murphy@arm.com>

> +		bus->self->untrusted = true;
>   }
>   
>   void pci_release_bus_of_node(struct pci_bus *bus)
> 

Re: [PATCH v2 1/2] dt-bindings: Add external-facing PCIe port property

[Robin Murphy]

On 2019-04-02 2:15 pm, Jean-Philippe Brucker wrote:
> Provide a way for the firmware to tell the OS which devices are external
> to the machine and therefore untrusted. The property can describe for
> example Thunderbolt and other user-accessible ports, which should always
> have the strongest IOMMU protection.

Reviewed-by: Robin Murphy <robin.murphy@arm.com>

> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>   Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
>   1 file changed, 50 insertions(+)
> 
> diff --git a/Documentation/devicetree/bindings/pci/pci.txt b/Documentation/devicetree/bindings/pci/pci.txt
> index c77981c5dd18..92c01db610df 100644
> --- a/Documentation/devicetree/bindings/pci/pci.txt
> +++ b/Documentation/devicetree/bindings/pci/pci.txt
> @@ -24,3 +24,53 @@ driver implementation may support the following properties:
>      unsupported link speed, for instance, trying to do training for
>      unsupported link speed, etc.  Must be '4' for gen4, '3' for gen3, '2'
>      for gen2, and '1' for gen1. Any other values are invalid.
> +
> +PCI-PCI Bridge properties
> +-------------------------
> +
> +PCIe root ports and switch ports may be described explicitly in the device
> +tree, as children of the host bridge node. Even though those devices are
> +discoverable by probing, it might be necessary to describe properties that
> +aren't provided by standard PCIe capabilities.
> +
> +Required properties:
> +
> +- reg:
> +   Identifies the PCI-PCI bridge. As defined in the IEEE Std 1275-1994
> +   document, it is a five-cell address encoded as (phys.hi phys.mid
> +   phys.lo size.hi size.lo). phys.hi should contain the device's BDF as
> +   0b00000000 bbbbbbbb dddddfff 00000000. The other cells should be zero.
> +
> +   The bus number is defined by firmware, through the standard bridge
> +   configuration mechanism. If this port is a switch port, then firmware
> +   allocates the bus number and writes it into the Secondary Bus Number
> +   register of the bridge directly above this port. Otherwise, the bus
> +   number of a root port is the first number in the bus-range property,
> +   defaulting to zero.
> +
> +   If firmware leaves the ARI Forwarding Enable bit set in the bridge
> +   above this port, then phys.hi contains the 8-bit function number as
> +   0b00000000 bbbbbbbb ffffffff 00000000. Note that the PCIe specification
> +   recommends that firmware only leaves ARI enabled when it knows that the
> +   OS is ARI-aware.
> +
> +Optional properties:
> +
> +- external-facing:
> +   When present, the port is external-facing. All bridges and endpoints
> +   downstream of this port are external to the machine. The OS can, for
> +   example, use this information to identify devices that cannot be
> +   trusted with relaxed DMA protection, as users could easily attach
> +   malicious devices to this port.
> +
> +Example:
> +
> +pcie@10000000 {
> +	compatible = "pci-host-ecam-generic";
> +	...
> +	pcie@0008 {
> +		/* Root port 00:01.0 is external-facing */
> +		reg = <0x00000800 0 0 0 0>;
> +		external-facing;
> +	};
> +};
> 

Re: [PATCH v2 1/2] dt-bindings: Add external-facing PCIe port property

[Rob Herring]

On Tue,  2 Apr 2019 14:15:47 +0100, Jean-Philippe Brucker wrote:
> Provide a way for the firmware to tell the OS which devices are external
> to the machine and therefore untrusted. The property can describe for
> example Thunderbolt and other user-accessible ports, which should always
> have the strongest IOMMU protection.
> 
> Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
> ---
>  Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
>  1 file changed, 50 insertions(+)
> 

Reviewed-by: Rob Herring <robh@kernel.org>

Re: [PATCH v2 0/2] PCI: Describe external-facing ports in device tree

[Grant Likely]

On 02/04/2019 20:15, Jean-Philippe Brucker wrote:
> Since v1 [1], I improved the wording of patch 1/2 as suggested by Bjorn.
> 
> Add an "external-facing" property to PCI ports in device-tree, to help
> identify untrusted devices. The notion of untrusted PCI devices was
> added to the v5.0 kernel to describe devices that should have strict
> IOMMU protection [2], for example devices that are plugged in a
> Thunderbolt port. ACPI systems use the ExternalFacingPort property [3].
> Add an equivalent mechanism to device tree.
> 
> [1] https://lore.kernel.org/linux-pci/20190318182124.53859-1-jean-philippe.brucker@arm.com/
> [2] https://lkml.org/lkml/2018/11/26/631
> [3] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports

For both:

Reviewed-by: Grant Likely <grant.likely@arm.com>

> 
> Jean-Philippe Brucker (2):
>    dt-bindings: Add external-facing PCIe port property
>    PCI: OF: Support external-facing property
> 
>   Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
>   drivers/pci/of.c                              |  3 ++
>   2 files changed, 53 insertions(+)
> 

Re: [PATCH v2 0/2] PCI: Describe external-facing ports in device tree

[Bjorn Helgaas]

On Tue, Apr 02, 2019 at 02:15:46PM +0100, Jean-Philippe Brucker wrote:
> Since v1 [1], I improved the wording of patch 1/2 as suggested by Bjorn.
> 
> Add an "external-facing" property to PCI ports in device-tree, to help
> identify untrusted devices. The notion of untrusted PCI devices was
> added to the v5.0 kernel to describe devices that should have strict
> IOMMU protection [2], for example devices that are plugged in a
> Thunderbolt port. ACPI systems use the ExternalFacingPort property [3].
> Add an equivalent mechanism to device tree.
> 
> [1] https://lore.kernel.org/linux-pci/20190318182124.53859-1-jean-philippe.brucker@arm.com/
> [2] https://lkml.org/lkml/2018/11/26/631
> [3] https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports#identifying-externally-exposed-pcie-root-ports
> 
> Jean-Philippe Brucker (2):
>   dt-bindings: Add external-facing PCIe port property
>   PCI: OF: Support external-facing property

Applied to pci/enumeration for v5.2, with reviewed-by from Robin and Grant
and from Rob (patch 2 only), thanks!

>  Documentation/devicetree/bindings/pci/pci.txt | 50 +++++++++++++++++++
>  drivers/pci/of.c                              |  3 ++
>  2 files changed, 53 insertions(+)
> 
> -- 
> 2.21.0
> 
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel