Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp295000ybp;
        Thu, 3 Oct 2019 13:44:06 -0700 (PDT)
X-Google-Smtp-Source: APXvYqykYDOR8yM2DonVsvWUEcQU7KXeWywiLMznUlioLQRS+HpbD6FBzMLYgw/dTZINO52dCcKh
X-Received: by 2002:aa7:dcd7:: with SMTP id w23mr11458241edu.170.1570135446347;
        Thu, 03 Oct 2019 13:44:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570135446; cv=none;
        d=google.com; s=arc-20160816;
        b=O2MHIK2DXA4tRHswloxCjfZWxp0DXHvLWzRHzWM0RVyaUS4yqr+NkHDif+wlwLhFst
         yfroJzqV9WJRm5YZdyl2CKiE9einmNuQJZF4N0q4R1e41DrNLOq7QlG5irZGi/K7FOAb
         MazL/LbSUSvZD2jJG3SS/7AJGb4U0Fx7s2V3r+0F2f0MJHV9FmRW+oJ+0HOxbI1mQh4v
         dqnTiT5KmeqmxZHJyedTEyw3lqlu0n4oJrNsychyyOzshHw3S1eYc0iRLTQSDrdCyo8a
         F/SkPtJChNaz0E6ROjcbpJJnfZcClU21uw1FQ/R+WgT/qJ9G9YG0Zp44Yqh2VZ0T8Vd7
         rGbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=smZlIB9cW//eSihlZpcoNj9zTi6r53Am4WK2CgK2ldg=;
        b=fsaTk0CHeKslSDFJeIi+cLa9LDaLflOq80xVtQALogbiUp+NcYdwSn9BbctsHuHFYo
         sPgPFlAeOp2rbU2epU9y/aMtOIeO6g0iWkPhRYu5Oioy7tX1ot9ZQsnsMp+pkYoTj5Dn
         /0y98nyESTA+rAfVFqeFLS2JOrLiKwQEnOUALfBDafStUgk7C10brUlrAuLl5h3s45/1
         GqX5UECG62NcubT0mDmlaEbm0M/V08HabaEx6Y/0p9pbt7N/Ukld2tP5FJ9B2GAXmFIH
         1PkDsxlHdkD5YatXHJWc12fzFZN+nlFUagGbhM+9hT7GHzRlJiSMjsXM8O+JM/zXu8nc
         A7ZA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b58si2214324edc.97.2019.10.03.13.43.41;
        Thu, 03 Oct 2019 13:44:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388920AbfJCUm1 (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Thu, 3 Oct 2019 16:42:27 -0400
Received: from foss.arm.com ([217.140.110.172]:56256 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726669AbfJCUm0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Oct 2019 16:42:26 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CF79F337;
        Thu,  3 Oct 2019 13:42:25 -0700 (PDT)
Received: from [192.168.1.124] (unknown [172.31.20.19])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id E00273F739;
        Thu,  3 Oct 2019 13:42:23 -0700 (PDT)
Subject: Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling
 bypass by default
To:     Tim Harvey <tharvey@gateworks.com>,
        Douglas Anderson <dianders@chromium.org>,
        Tirumalesh Chalamarla <tchalamarla@caviumnetworks.com>
Cc:     Joerg Roedel <joro@8bytes.org>, Will Deacon <will.deacon@arm.com>,
        linux-arm-msm@vger.kernel.org, evgreen@chromium.org,
        tfiga@chromium.org, Rob Clark <robdclark@gmail.com>,
        iommu@lists.linux-foundation.org,
        linux-arm-kernel@lists.infradead.org,
        Vivek Gautam <vivek.gautam@codeaurora.org>,
        open list <linux-kernel@vger.kernel.org>
References: <20190301192017.39770-1-dianders@chromium.org>
 <CAJ+vNU0Ma5nG9_ThLO4cdO+=ivf7rmXiHZonF0HY0xx6X3R6Hw@mail.gmail.com>
From:   Robin Murphy <robin.murphy@arm.com>
Message-ID: <5dce2964-8761-e7d0-8963-f0f5cb2feb02@arm.com>
Date:   Thu, 3 Oct 2019 21:42:20 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
 Thunderbird/68.1.1
MIME-Version: 1.0
In-Reply-To: <CAJ+vNU0Ma5nG9_ThLO4cdO+=ivf7rmXiHZonF0HY0xx6X3R6Hw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Tim,

On 2019-10-03 7:27 pm, Tim Harvey wrote:
> On Fri, Mar 1, 2019 at 11:21 AM Douglas Anderson <dianders@chromium.org> wrote:
>>
>> If you're bisecting why your peripherals stopped working, it's
>> probably this CL.  Specifically if you see this in your dmesg:
>>    Unexpected global fault, this could be serious
>> ...then it's almost certainly this CL.
>>
>> Running your IOMMU-enabled peripherals with the IOMMU in bypass mode
>> is insecure and effectively disables the protection they provide.
>> There are few reasons to allow unmatched stream bypass, and even fewer
>> good ones.
>>
>> This patch starts the transition over to make it much harder to run
>> your system insecurely.  Expected steps:
>>
>> 1. By default disable bypass (so anyone insecure will notice) but make
>>     it easy for someone to re-enable bypass with just a KConfig change.
>>     That's this patch.
>>
>> 2. After people have had a little time to come to grips with the fact
>>     that they need to set their IOMMUs properly and have had time to
>>     dig into how to do this, the KConfig will be eliminated and bypass
>>     will simply be disabled.  Folks who are truly upset and still
>>     haven't fixed their system can either figure out how to add
>>     'arm-smmu.disable_bypass=n' to their command line or revert the
>>     patch in their own private kernel.  Of course these folks will be
>>     less secure.
>>
>> Suggested-by: Robin Murphy <robin.murphy@arm.com>
>> Signed-off-by: Douglas Anderson <dianders@chromium.org>
>> ---
> 
> Hi Doug / Robin,
> 
> I ran into this breaking things on OcteonTx boards based on CN80XX
> CPU. The IOMMU configuration is a bit beyond me and I'm hoping you can
> offer some advice. The IOMMU here is cavium,smmu-v2 as defined in
> https://github.com/Gateworks/dts-newport/blob/master/cn81xx-linux.dtsi
> 
> Booting with 'arm-smmu.disable_bypass=n' does indeed work around the
> breakage as the commit suggests.
> 
> Any suggestions for a proper fix?

Ah, you're using the old "mmu-masters" binding (and in a way which isn't 
well-defined - it's never been specified what the stream ID argument(s) 
would mean for a PCI host bridge, and Linux just ignores them). The 
ideal thing would be to update the DT to generic "iommu-map" properties 
- it's been a long time since I last played with a ThunderX, but I 
believe the SMMU stream IDs should just be the same as the ITS device 
IDs (which is how the "mmu-masters" mapping would have played out anyway).

The arm-smmu driver support for the old binding has always relied on 
implicit bypass - there are technical reasons why we can't realistically 
support the full functionality offered to the generic bindings, but it 
would be possible to add some degree of workaround to prevent it 
interacting quite so poorly with disable_bypass, if necessary. Do you 
have deployed systems with DTs that can't be updated, but still might 
need to run new kernels?

Robin.