Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1555098ybl;
        Tue, 3 Dec 2019 08:58:16 -0800 (PST)
X-Google-Smtp-Source: APXvYqyO9Upbaz/SeFeMKDf4z5Grxnnk1U44flzR3ObgpSiQ3DqZlLXt2yiy6+8PgtVmEtVd4uO3
X-Received: by 2002:a05:6830:10d5:: with SMTP id z21mr4079012oto.30.1575392296344;
        Tue, 03 Dec 2019 08:58:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575392296; cv=none;
        d=google.com; s=arc-20160816;
        b=xcECOF/WLSmMFDtNYNPbY/qo/sa3Bq1QPJQb4DZLagLXhHcdm7GYCk/hzPMzdYeUPI
         zjhPiyk+VghJOnGEXZidWzbT3ydEeKjQUCaEBlH/tiL0ZlDCc785+KxcoxpHQSEkp+9I
         D6DHcXG/Kv9dOWlyaoe0bnkDyo/Isk6iSSgnbYHn+P0xjLOupcgtVLW7fAEAU1w4yuY9
         3B2rbkokN4a8x44HHt5StzJhQr4T/Gj3k2wyVv+obEBldDhfuDlCxViCoMrnKO0xJd9G
         V6/9clqMTfsoI3VN3JgFaRrxzDxAhl4hwKZ4neO0dL3XwYzYhtP3oayHVv5qeei3L2zW
         e+0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=i7Rl2ommOFpZyqjc2xIe8+dnrgxiLpTR5CzNoZds2fo=;
        b=GMfaobg7jgHstz94lC96o56Xy0ylRhIeMNe6ZuO1s3AG58Fp88hWtUhXBkElKlowb/
         nbyjnG19aKCqf6METsLR8SSV9j2ed19VH0PeklFxPPIkH5ykNvh9T06/eiZr/WjPijOe
         vaKACffe49Yr0SEc2HkiCBxZH3mqf/vB9HZtIxQq/rUFkJ+6wwhIbyMHkCkadAtv9OR5
         65kbrrkulOfLW9jeucXd4bN77FePIAzSdQlDNsNdPx5ZhuiTTN8bcGuoWlXKRFZ0hxBE
         cZjHSu64qtSAG99iug9BMzHLDOzRUd7XieGC0P4fo8i5A6FYcZ1mHDot5Ax2Sf/+VSNY
         vGug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=une3qInd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n129si283417oih.193.2019.12.03.08.58.04;
        Tue, 03 Dec 2019 08:58:16 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=une3qInd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726925AbfLCQdr (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Tue, 3 Dec 2019 11:33:47 -0500
Received: from mail-wm1-f68.google.com ([209.85.128.68]:35589 "EHLO
        mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726186AbfLCQdp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Dec 2019 11:33:45 -0500
Received: by mail-wm1-f68.google.com with SMTP id u8so4266544wmu.0
        for <linux-kernel@vger.kernel.org>; Tue, 03 Dec 2019 08:33:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=i7Rl2ommOFpZyqjc2xIe8+dnrgxiLpTR5CzNoZds2fo=;
        b=une3qIndSJoWVUjUi/0G2NHM2XesEgfnFTKtTU+VgTVszaqX3h6Wb+mFixhVGnisgu
         BkiRet5AUR6u9LLTh7N3nXmJPe6DST9mRqyMqbCjWaLz4kV7AzyBC5ZPQtRSjM6emySf
         gnHSd9TIzowsdY17wvPIrfZQwL6KJWh6fdudKc/BOCYU95F2QnBBlSYcXaRidjd8NUVe
         1/mHBV6Zy8wIObKW+ZcnpDneiahFLPFvIHmH9P6Tgysi7bk69dIaPrQExBB1uPenMzRa
         jElTuYb07v2FBhGMX96XnDGH161CgmXXsBztnxjZjDBgfQUV2uOUsfCP9u8NtphdW7+y
         SH3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=i7Rl2ommOFpZyqjc2xIe8+dnrgxiLpTR5CzNoZds2fo=;
        b=fDi7j1GBiJ3JVNuXVHxbUj6VILXKrVQTdfAlzk+EELBXA1kJuNhMcrAHhjmbMXTzZW
         +mypiAR3GjkeeiMi6lR7fzPw/acR5ZvpHt0t23VowWhz/Dz50gv3FKdbY2fUchqFqwOr
         RRH2C4jYuLd/8T+tpgcVCayUDuiYSFFGgpVFpDtlxt61YjQfQ0FDMMyFD+sVIydAnT/D
         qWGGN7z3zIJLEKb0dfmMynAj8xV6WdnNVI97rnuvfBoMLhI3MTBDv4tyjEF54x7jCfsW
         SfODLzH8VjfAAJ3c1p5e9tazrN2KUFlLig10QvKs+eXH+blmIBXCudz3+DASQaFEu+Bo
         /vxQ==
X-Gm-Message-State: APjAAAUe7EbjyrO1s/uAFUIYRnJ8ZQcZw2qkynSLSLA5SVsM8Or9WPWr
        mCN4htMQVGPzW50GFxwJCVw+KjSmaPt4obRn0Syk2w==
X-Received: by 2002:a05:600c:141:: with SMTP id w1mr15345919wmm.61.1575390822794;
 Tue, 03 Dec 2019 08:33:42 -0800 (PST)
MIME-Version: 1.0
References: <20191203004043.174977-1-matthewgarrett@google.com> <CALCETrWUYapn=vTbKnKFVQ3Y4vG0qHwux0ym_To2NWKPew+vrw@mail.gmail.com>
In-Reply-To: <CALCETrWUYapn=vTbKnKFVQ3Y4vG0qHwux0ym_To2NWKPew+vrw@mail.gmail.com>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Tue, 3 Dec 2019 16:33:37 +0000
Message-ID: <CAKv+Gu8ohahrVVvMO0FfJPQL+Um5HoL=OFegTD25RwBP6rgLHQ@mail.gmail.com>
Subject: Re: [PATCH] [EFI,PCI] Allow disabling PCI busmastering on bridges
 during boot
To:     Andy Lutomirski <luto@amacapital.net>
Cc:     Matthew Garrett <matthewgarrett@google.com>,
        linux-efi <linux-efi@vger.kernel.org>, X86 ML <x86@kernel.org>,
        linux-pci <linux-pci@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Matthew Garrett <mjg59@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 3 Dec 2019 at 15:30, Andy Lutomirski <luto@amacapital.net> wrote:
>
> On Mon, Dec 2, 2019 at 4:41 PM Matthew Garrett
> <matthewgarrett@google.com> wrote:
> >
> > Add an option to disable the busmaster bit in the control register on
> > all PCI bridges before calling ExitBootServices() and passing control to
> > the runtime kernel. System firmware may configure the IOMMU to prevent
> > malicious PCI devices from being able to attack the OS via DMA. However,
> > since firmware can't guarantee that the OS is IOMMU-aware, it will tear
> > down IOMMU configuration when ExitBootServices() is called. This leaves
> > a window between where a hostile device could still cause damage before
> > Linux configures the IOMMU again.
> >
> > If CONFIG_EFI_NO_BUSMASTER is enabled or the "disable_busmaster=1"
> > commandline argument is passed, the EFI stub will clear the busmaster
> > bit on all PCI bridges before ExitBootServices() is called. This will
> > prevent any malicious PCI devices from being able to perform DMA until
> > the kernel reenables busmastering after configuring the IOMMU.
>
> I hate to be an obnoxious bikeshedder, but I really dislike the
> "disable_busmaster" name.  I read this and $SUBJECT as "for some
> reason, the admin wants to operate the system with busmastering off".
> What you really want is something more like "disable busmastering
> before IOMMU initialization".  Maybe
> "iommu.disable_busmaster_before_init"?
>
> Similarly, EFI_NO_BUSMASTER sounds like a permanent state of affairs.
>
> Would a similar patch apply to non-EFI boot?  That is, in a BIOS boot,
> is busmastering on when the kernel is loaded?
>

Yes, bus mastering is on, but since legacy BIOS may implement things
like PS/2 emulation or other compatibility hacks where the PCI masters
(devices or bridges) may need to be left enabled across the transition
from firmware into the OS, I don't think it is wise to try and
implement this feature for it.

So the EFI stub is a reasonable place to put a feature like this,
except for the fact that [on x86], it does not get invoked unless GRUB
boots your kernel with 'linuxefi' rather than 'linux', and so in the
majority of cases, I guess we are essentially doing legacy BIOS boot,
even on UEFI systems.