Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1461182ybl;
        Tue, 3 Dec 2019 07:31:13 -0800 (PST)
X-Google-Smtp-Source: APXvYqxz2rpwJDUSsRmiWQEdxt5sdh+VJUmyyvOSk+bru45ZFn/Sl6kmXxwm3PJihI+pIDM39bbH
X-Received: by 2002:a9d:6f11:: with SMTP id n17mr3453030otq.126.1575387072960;
        Tue, 03 Dec 2019 07:31:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575387072; cv=none;
        d=google.com; s=arc-20160816;
        b=mEBGeRS3HTsqwzOW/O2WSUlB1UJ+VOb6EUOgM32IgApkbR5kN0m4Gko9m8fa1VUxdc
         Gc/FX5i/dzzmfCQQSFfAL+YS+xhJapbfjR4KwPizvnWIGkBgtX55Hw/W2o8n9EO/KAWC
         zuYKYtBhmeE8vVu/E0P8wa2Dcl15jWSJYRVM7IWkTfddId54XE2Ti9VQVNm2HoNIaLRT
         jd4lHhviADz1flLGrbClfbOMEx/jPQe48EUR/jouW4qwRIe7zL+nqCbJNu24ADjPvftY
         USDvQaaPwvZPbVpQmYZnvvKrS2lVzowA/KJIoMxN8BD8Gcq7I+Sqv5z7xSfg2XQWvwMV
         nBbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=VNwFXPekhWv2eWzhcVjVYpipKkMgjKBl/x6cxxZotUw=;
        b=shL/lGCWan7gnuNwe8BgIKxuwEKQxnbLoJCPilXCzuXPlMmInydbDhhxGxtUTwM67r
         q3+GkXIeRgWUbdq4BeJVHMQA2dI+3mm8VHEGmPrIlKnH+YyHQsUuSYs6TYwAcNernPFa
         AqdeKW92Boyz+AiJ7X5w64EfeeBhEsO2/g0WZQhyMMxPQQk0kaSZDd03gN2Qkky0gAO5
         c8ZFQM1GC8FZC7aUM6GILb+iorgheP8sVodStmlHEMVQbM00WFH9o4VEUzbcPmECyGGy
         Dvcn9QVLkaNBYZMQYk9OpbkHmpAhnJWwOwVvu6PXw3b/MXezAVQRMO2yRUKSX/HUgAoi
         CM1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=1xmyuh6Q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i15si1367406otk.120.2019.12.03.07.31.00;
        Tue, 03 Dec 2019 07:31:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=1xmyuh6Q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727044AbfLCPaU (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Tue, 3 Dec 2019 10:30:20 -0500
Received: from mail-wr1-f67.google.com ([209.85.221.67]:36994 "EHLO
        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726843AbfLCPaU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Dec 2019 10:30:20 -0500
Received: by mail-wr1-f67.google.com with SMTP id w15so4213512wru.4
        for <linux-kernel@vger.kernel.org>; Tue, 03 Dec 2019 07:30:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=VNwFXPekhWv2eWzhcVjVYpipKkMgjKBl/x6cxxZotUw=;
        b=1xmyuh6Q4BEGz3DUn6Oygwz3dLh7jtOKkgYrwruEzDQIOyp/C02nFpj9llkoTJS1zy
         mKjWEeUpRzjUbBy4gvYwvCQcaFl4QGcScLRnryehvKnasb4ws4iHqrawvY/ss+9DHqqm
         UeTIQa+n69bQXmuHnr37kRIt8bPAN0YyMdbiTrYlOlErcgIHHmqsAEZciIn5tSkOUFzr
         nPnJ7/uEdvJj9TdcgHowkij+dPMTwU9cBQAwbzoNkHXM161pvrONEyPKp1wr5KddW1L3
         97Hkw8B67WLW9CgbUwk6Vh4nY7xpSw3+CZK03pCcwCe0sgYBJ9d4vUCaOVywuEdki0yZ
         R2yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=VNwFXPekhWv2eWzhcVjVYpipKkMgjKBl/x6cxxZotUw=;
        b=d7xnw+3o1I8QoMbv6qiv8R9Qv4wqGgoujfYUX2VVMMPbwPdyONuEe52WxAwx6BRWS1
         WqW+EhTJD7IcQGqDrIb0rmuONPRtr27RLFuFE6NCSpDLjhdTdu97aE8XYixaiA696smv
         PgAOQYDh2vKvbzqnqPFmID05ceM2QNEGpk69Vdfnp57BUpic9eEkxVDF0s1b3WDqs/La
         FrDXlC/Sh93mUIQxj7y5LqymfnFl4sSKIlDLQnHIx5cLBu2zosrroBR7csHjPjcJOH84
         8JQK+24JkYgCCFI6FtzAqi/LXOI0KuBjee/tGAO3bOhsJ1PzkuQNB85WrYJDZ2u4ki2P
         dJwg==
X-Gm-Message-State: APjAAAXnpFRYnkSz7Qq+w1MdrHc+wk979G8T/NVkRnCa8xILv4YtHG6N
        bd7lbQY7QrDqLgL3alAq8LjgISfcd/XnJ1HwuSgVgA==
X-Received: by 2002:adf:f491:: with SMTP id l17mr5718407wro.149.1575387017828;
 Tue, 03 Dec 2019 07:30:17 -0800 (PST)
MIME-Version: 1.0
References: <20191203004043.174977-1-matthewgarrett@google.com>
In-Reply-To: <20191203004043.174977-1-matthewgarrett@google.com>
From:   Andy Lutomirski <luto@amacapital.net>
Date:   Tue, 3 Dec 2019 07:30:06 -0800
Message-ID: <CALCETrWUYapn=vTbKnKFVQ3Y4vG0qHwux0ym_To2NWKPew+vrw@mail.gmail.com>
Subject: Re: [PATCH] [EFI,PCI] Allow disabling PCI busmastering on bridges
 during boot
To:     Matthew Garrett <matthewgarrett@google.com>
Cc:     linux-efi <linux-efi@vger.kernel.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        X86 ML <x86@kernel.org>, linux-pci@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        Matthew Garrett <mjg59@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Dec 2, 2019 at 4:41 PM Matthew Garrett
<matthewgarrett@google.com> wrote:
>
> Add an option to disable the busmaster bit in the control register on
> all PCI bridges before calling ExitBootServices() and passing control to
> the runtime kernel. System firmware may configure the IOMMU to prevent
> malicious PCI devices from being able to attack the OS via DMA. However,
> since firmware can't guarantee that the OS is IOMMU-aware, it will tear
> down IOMMU configuration when ExitBootServices() is called. This leaves
> a window between where a hostile device could still cause damage before
> Linux configures the IOMMU again.
>
> If CONFIG_EFI_NO_BUSMASTER is enabled or the "disable_busmaster=1"
> commandline argument is passed, the EFI stub will clear the busmaster
> bit on all PCI bridges before ExitBootServices() is called. This will
> prevent any malicious PCI devices from being able to perform DMA until
> the kernel reenables busmastering after configuring the IOMMU.

I hate to be an obnoxious bikeshedder, but I really dislike the
"disable_busmaster" name.  I read this and $SUBJECT as "for some
reason, the admin wants to operate the system with busmastering off".
What you really want is something more like "disable busmastering
before IOMMU initialization".  Maybe
"iommu.disable_busmaster_before_init"?

Similarly, EFI_NO_BUSMASTER sounds like a permanent state of affairs.

Would a similar patch apply to non-EFI boot?  That is, in a BIOS boot,
is busmastering on when the kernel is loaded?

--Andy