[PATCH iommufd v2 0/9] Remove IOMMU_CAP_INTR_REMAP

From: Jason Gunthorpe <jgg@nvidia.com>
To: Alexander Gordeev <agordeev@linux.ibm.com>,
	Alex Williamson <alex.williamson@redhat.com>,
	Lu Baolu <baolu.lu@linux.intel.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Cornelia Huck <cohuck@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Gerald Schaefer <gerald.schaefer@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
	Kevin Tian <kevin.tian@intel.com>,
	kvm@vger.kernel.org, linux-s390@vger.kernel.org,
	Marc Zyngier <maz@kernel.org>,
	Robin Murphy <robin.murphy@arm.com>,
	Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Will Deacon <will@kernel.org>
Cc: Bharat Bhushan <bharat.bhushan@nxp.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Eric Auger <eric.auger@redhat.com>,
	Eric Farman <farman@linux.ibm.com>,
	Marc Zyngier <marc.zyngier@arm.com>,
	Matthew Rosato <mjrosato@linux.ibm.com>,
	Tomasz Nowicki <tomasz.nowicki@caviumnetworks.com>,
	Will Deacon <will.deacon@arm.com>
Subject: [PATCH iommufd v2 0/9] Remove IOMMU_CAP_INTR_REMAP
Date: Mon, 12 Dec 2022 14:45:54 -0400	[thread overview]
Message-ID: <0-v2-10ad79761833+40588-secure_msi_jgg@nvidia.com> (raw)

[ This would be for v6.3, the series depends on a bunch of stuff in
linux-next. I would be happy to merge it through the iommfd tree ]

Currently the kernel has two ways to signal the "isolated MSI" concept
that IOMMU_CAP_INTR_REMAP and irq_domain_check_msi_remap() both lay claim
to.

Harmonize these into a single irq_domain based check under
msi_device_has_isolated_msi().

In real HW "isolated MSI" is implemented in a few different ways:

 - x86 uses "interrupt remapping" which is a block that sits between
   the device and APIC, that can "remap" the MSI MemWr. AMD uses per-RID
   tables to implement isolation while Intel stores the authorized RID in
   each IRTE entry. Part of the remapping is discarding, HW will not
   forward MSIs that don't positively match the tables.

 - ARM GICv3 ITS integrates the concept of an out-of-band "device ID"
   directly into the interrupt controller logic. The tables the GIC checks
   that determine how to deliver the interrupt through the ITS device table
   and interrupt translation tables allow limiting which interrupts device
   IDs can trigger.

 - S390 has unconditionally claimed it has isolated MSI through the iommu
   driver. This is a weaker version of the other arches in that it only
   works between "gisa" domains. See zpci_set_airq() and

    https://lore.kernel.org/r/31af8174-35e9-ebeb-b9ef-74c90d4bfd93@linux.ibm.com/

After this series the "isolated MSI" is tagged based only on the
irq_domains that the interrupt travels through. For x86 enabling interrupt
remapping causes IR irq_domains to be installed in the path, and they can
carry the IRQ_DOMAIN_FLAG_ISOLATED_MSI. For ARM the GICv3 ITS itself
already sets the flag when it is running in a isolated mode, and S390
simply sets it always through an arch hook since it doesn't use
irq_domains at all.

This removes the intrusion of IRQ subsystem information into the iommu
drivers. Linux's iommu_domains abstraction has no bearing at all on the
security of MSI. Even if HW linked to the IOMMU may implement the security
on x86 implementations, Linux models that HW through the irq_domain, not
the iommu_domain.

This is on github: https://github.com/jgunthorpe/linux/commits/secure_msi

v2:
 - Rename secure_msi to isolated_msi
 - Add iommu_group_has_isolated_msi() as a core function to support
   VFIO/iommufd. It checks that the group has a consisent isolated_msi
   to catch driver bugs.
 - Revise comment and commit messages for clarity
 - Drop the VFIO iteration patch since iommu_group_has_isolated_msi() just
   does it.
 - Link to Matthew's discussion about S390 and explain it is less secure
v1: https://lore.kernel.org/r/0-v1-9e466539c244+47b5-secure_msi_jgg@nvidia.com

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Jason Gunthorpe (9):
  irq: Add msi_device_has_isolated_msi()
  iommu: Add iommu_group_has_isolated_msi()
  vfio/type1: Convert to iommu_group_has_isolated_msi()
  iommufd: Convert to msi_device_has_isolated_msi()
  irq: Remove unused irq_domain_check_msi_remap() code
  irq: Rename IRQ_DOMAIN_MSI_REMAP to IRQ_DOMAIN_ISOLATED_MSI
  iommu/x86: Replace IOMMU_CAP_INTR_REMAP with
    IRQ_DOMAIN_FLAG_ISOLATED_MSI
  irq/s390: Add arch_is_isolated_msi() for s390
  iommu: Remove IOMMU_CAP_INTR_REMAP

 arch/s390/include/asm/msi.h         | 17 +++++++++++++
 drivers/iommu/amd/iommu.c           |  5 ++--
 drivers/iommu/intel/iommu.c         |  2 --
 drivers/iommu/intel/irq_remapping.c |  3 ++-
 drivers/iommu/iommu.c               | 23 +++++++++++++++++
 drivers/iommu/iommufd/device.c      |  4 +--
 drivers/iommu/s390-iommu.c          |  2 --
 drivers/irqchip/irq-gic-v3-its.c    |  4 +--
 drivers/vfio/vfio_iommu_type1.c     | 16 +++---------
 include/linux/iommu.h               |  2 +-
 include/linux/irqdomain.h           | 29 +++------------------
 include/linux/msi.h                 | 17 +++++++++++++
 kernel/irq/irqdomain.c              | 39 -----------------------------
 kernel/irq/msi.c                    | 27 ++++++++++++++++++++
 14 files changed, 99 insertions(+), 91 deletions(-)
 create mode 100644 arch/s390/include/asm/msi.h

base-commit: 644f4ef9a6ea0e0c65f949bd6b80857d4223c476
-- 
2.38.1