Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1293009yba;
        Thu, 4 Apr 2019 08:01:16 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy76kngbdcQVMEmDMwwqYA2T6uUcMOGTq9LHsYuAtZsjcVZeHjcs7x3vE90+wSavyhwbmgN
X-Received: by 2002:a17:902:7589:: with SMTP id j9mr6925753pll.287.1554390076813;
        Thu, 04 Apr 2019 08:01:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554390076; cv=none;
        d=google.com; s=arc-20160816;
        b=aweOTBsVA0olCbqlPv8i4pZoWYXHYMgBbPITzn4dJ8Oj1jMKuULiLNGs6bLfZoxtOB
         dsGoEe7FmiSwA1/bp33iA1eKDRwyalUIoYWPAhsDl8xfvU7sJTuuaQVlvG3sFxrgTtg5
         2Tu0h9UTeEF5a7ydmyu2f8FdLjYuvL6BJXE8hnqegA9Hlblb1mkl+8PmbaPKaKLEaxj+
         D2Zlu5Tww2WoQpADN2eRhSI3VTR251AiWmaG/dpJPYPgkBjRhVCdzMcH2g3DUap/X232
         nOLFN5rEfXW2As7KtTOCmlfiVKGX9qnrk/1uhOK6GurCLHoIMtkqfJFHY7SoUT/EFoEW
         SVJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=KGF++zDpKZjj8QSo7GcFnWktYHa+eKavS3myyedY15Y=;
        b=FmDzjUxqzrulQGH9LBvuGKGxaYQglvr+f8sXl3KBQEKk4aPKjZebzZTkVTz4Nqxqnq
         yiWPc6XO5WbC7SVJVQLvbC3nNlN2QP7YHKiGMYfftNiu+Jt0lEz+QdAKYXxr9EMRSvGA
         1HWSA2b9hn2N8uWVCA+3tkXqUrDeRw6c2QQeoEyWZysTeK+aqBbgMbc2YncGpT6ocrtx
         83Z13zv2EqXh/tXM42HYF7+QG7XSfc7Gg9zo9SYdaHM2a6yNO/6W3DOsx7Fxe+fvSpTo
         nBDpp/I/K1mZLvrLIH/2WKAddXxKc/rGbF2Bw3AyYG2/v87JslD0yy+MyRFyC5196w5D
         F7Yg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j7si7095319plk.221.2019.04.04.08.01.00;
        Thu, 04 Apr 2019 08:01:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729013AbfDDPAR (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Thu, 4 Apr 2019 11:00:17 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:33732 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726942AbfDDPAR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Apr 2019 11:00:17 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 809B9169E;
        Thu,  4 Apr 2019 08:00:16 -0700 (PDT)
Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 8F8753F59C;
        Thu,  4 Apr 2019 08:00:14 -0700 (PDT)
Date:   Thu, 4 Apr 2019 16:00:05 +0100
From:   Will Deacon <will.deacon@arm.com>
To:     Douglas Anderson <dianders@chromium.org>
Cc:     Joerg Roedel <joro@8bytes.org>,
        Robin Murphy <robin.murphy@arm.com>,
        linux-arm-msm@vger.kernel.org,
        Vivek Gautam <vivek.gautam@codeaurora.org>,
        Rob Clark <robdclark@gmail.com>, evgreen@chromium.org,
        tfiga@chromium.org, linux-kernel@vger.kernel.org,
        iommu@lists.linux-foundation.org,
        linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling
 bypass by default
Message-ID: <20190404145957.GA25912@fuggles.cambridge.arm.com>
References: <20190301192017.39770-1-dianders@chromium.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190301192017.39770-1-dianders@chromium.org>
User-Agent: Mutt/1.11.1+86 (6f28e57d73f2) ()
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Mar 01, 2019 at 11:20:17AM -0800, Douglas Anderson wrote:
> If you're bisecting why your peripherals stopped working, it's
> probably this CL.  Specifically if you see this in your dmesg:
>   Unexpected global fault, this could be serious
> ...then it's almost certainly this CL.
> 
> Running your IOMMU-enabled peripherals with the IOMMU in bypass mode
> is insecure and effectively disables the protection they provide.
> There are few reasons to allow unmatched stream bypass, and even fewer
> good ones.
> 
> This patch starts the transition over to make it much harder to run
> your system insecurely.  Expected steps:
> 
> 1. By default disable bypass (so anyone insecure will notice) but make
>    it easy for someone to re-enable bypass with just a KConfig change.
>    That's this patch.
> 
> 2. After people have had a little time to come to grips with the fact
>    that they need to set their IOMMUs properly and have had time to
>    dig into how to do this, the KConfig will be eliminated and bypass
>    will simply be disabled.  Folks who are truly upset and still
>    haven't fixed their system can either figure out how to add
>    'arm-smmu.disable_bypass=n' to their command line or revert the
>    patch in their own private kernel.  Of course these folks will be
>    less secure.
> 
> Suggested-by: Robin Murphy <robin.murphy@arm.com>
> Signed-off-by: Douglas Anderson <dianders@chromium.org>
> ---
> 
> Changes in v2:
> - Flipped default to 'yes' and changed comments a lot.
> 
>  drivers/iommu/Kconfig    | 25 +++++++++++++++++++++++++
>  drivers/iommu/arm-smmu.c |  3 ++-
>  2 files changed, 27 insertions(+), 1 deletion(-)

Cheers, I'll pick this one up for 5.2.

Will