Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1750214ybl;
        Tue, 3 Dec 2019 12:04:18 -0800 (PST)
X-Google-Smtp-Source: APXvYqxNtC7jyhMozeOUsZEveiYHUbbj0kETv9QoLEolOAtI1XdXi3s9Ah4nXkHtYCPJVgoLdrkt
X-Received: by 2002:aca:d4c1:: with SMTP id l184mr5272377oig.172.1575403458421;
        Tue, 03 Dec 2019 12:04:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575403458; cv=none;
        d=google.com; s=arc-20160816;
        b=b0GJZhWv3EhGu7BgvPUUPhss6KPUOyV121uBGb7lem5M1de8U6B32I5ccYm4LEnnPy
         DVbJsX1LvWBBPCyrwz6jn9ufu/pxBgaDw4UJt6WL0QQXGjqRbtFABzdx2sd1k6tENi1Z
         DstconbX9zykIFr0WNGEhyKT3Wf7PjPV6jDzotXDZzSJDaHiugEeoQTwqeTYjhP6Fqtx
         jDd8TKm0RYlkmL5ACczw4xCxJtye8+0NPq2HZfVnchpaycmrj6mnryprhHw6avfp/K/H
         whMMKQg28h2Z4dDD8h9MUyTNdhuhLsSBuHknhBAk/o+7pQ9G3jc4z0sKzfbDWyRoQG1W
         Ziiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=8ch+WNijaY6AsPxm0+XePiTtapq06gZNm+FnTtW+Yvk=;
        b=LT8sLo5emu6fV7I27v7+t76TiySa/d8GiQ5Zd7fK1YmcU91RPy+uJxohMl/StZx6hI
         1XyDQxmk5Nzrs+SySzq2BD31E8krhmCrn8q/IV6BXIEE1oX1Ugu1HUL6n55mDu5GQA5R
         ab1QHPSAhaD/upuoKi1xfw4H3FpHRoEL9Y4Iwcp+B93qvZkdwkhfEmDMDOXtYy1Jw8IR
         QB7U90VVYa7ie/be0/LYHUMiuwsFioNQT5QW+I1oHazfHkOZRhUiTL+5h22zUnkVdA8J
         80M5rYvcfSQCa1+KK1ifG0unECFH+z5TMc2ZjKSbMi0k1ThkY+pzSH9pch8f0ko4vJQU
         dW5w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=cUiQ2WxJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o13si1754650otp.27.2019.12.03.12.04.03;
        Tue, 03 Dec 2019 12:04:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=cUiQ2WxJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726567AbfLCTkg (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Tue, 3 Dec 2019 14:40:36 -0500
Received: from mail-io1-f68.google.com ([209.85.166.68]:46015 "EHLO
        mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726079AbfLCTkf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Dec 2019 14:40:35 -0500
Received: by mail-io1-f68.google.com with SMTP id i11so5062152ioi.12
        for <linux-kernel@vger.kernel.org>; Tue, 03 Dec 2019 11:40:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8ch+WNijaY6AsPxm0+XePiTtapq06gZNm+FnTtW+Yvk=;
        b=cUiQ2WxJYfgxGRtIYYrBFgideFa64zwJVC0xM+vPn1heDbtP8PS8yhn2SslWuKeDcv
         qhLffbJ3Uo+Xo+PBrM9d1srYRC+HpClcuPS7jDcp7nCHYvNKj3tAiPHBPOeKB6nyEJgr
         hAziOs01GF/Nm9RN1Ac/APBu0vvoX7TLuXjbEo16RDF+snyauxsyRnPMV36z/iiP3SDn
         hKDznvFTSRzqAqz2WkQLpDHNKsS+cvsRHjWorCY9fY2HMWbBfkQv7Akz/++xiyUkfxYF
         soTgico8aclq+HXraOhqfo7I5eaUa1BR59m74mMTlpG6jLAnZo16mBg2DDLjOz1EzXtX
         1Nwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8ch+WNijaY6AsPxm0+XePiTtapq06gZNm+FnTtW+Yvk=;
        b=fgzlccU8fNwb48PMiJn78ZDoHfHCvfwiME7dQBDeOcdTwCwGTsr6Urskex5gG4zMSH
         XmAC119hQPWMA1QjLW/Ww1Y36VFPPzPjShxe2wHc/TthbJQ7DrZx02lkvl5Iaa/zqdm7
         SUfMcK0fzvSDw+jT8yyu5HqX2oVNZ2/ebWccW4MY3ZxbqlY+2Pa8bAr8k+fLWXoup9ki
         B7T9W6LhA0RJC6SR0dPAFX4jLkmEZw+owOFoD1sumPUU2lcLPYswyrnZetBwceHsV3Mg
         rPlogf7AaW8hwcjAEHF5GXItXTfSStCXaxPOumm5GU8W1CEqDZ57n3336xhKQGmVkGuz
         EdtQ==
X-Gm-Message-State: APjAAAWmih74yUne5By8Q7GYdniDri+GT5dN8qbiMaj1NEBgQ56iKcl3
        /0BayU7HCdDC085wTPTILInOe/dkA04a8S2BDDiMGg==
X-Received: by 2002:a5e:df06:: with SMTP id f6mr3715528ioq.84.1575402034437;
 Tue, 03 Dec 2019 11:40:34 -0800 (PST)
MIME-Version: 1.0
References: <20191203004043.174977-1-matthewgarrett@google.com>
 <CACdnJus7nHdr4p4H1j5as9eB=FG-uX+wy_tjvTQ5ObErDJHdow@mail.gmail.com> <CAKv+Gu8emrf7WbTyGc8QDykX_hZbrVtxJKkRVbGFhd8rd13yww@mail.gmail.com>
In-Reply-To: <CAKv+Gu8emrf7WbTyGc8QDykX_hZbrVtxJKkRVbGFhd8rd13yww@mail.gmail.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Tue, 3 Dec 2019 11:40:23 -0800
Message-ID: <CACdnJusMeC+G3wq_oDGTYi1CBMWDiuq4NdANTBmhNBTDu5zCug@mail.gmail.com>
Subject: Re: [PATCH] [EFI,PCI] Allow disabling PCI busmastering on bridges
 during boot
To:     Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc:     Laszlo Ersek <lersek@redhat.com>,
        linux-efi <linux-efi@vger.kernel.org>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        linux-pci <linux-pci@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 3, 2019 at 3:54 AM Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:

> There is no reason this shouldn't apply to ARM, but disabling bus
> mastering like that before the drivers themselves get a chance to do
> so is likely to cause trouble. Network devices or storage controllers
> that are still running and have live descriptor rings in DMA memory
> shouldn't get the rug pulled from under their feet like that by
> blindly disabling the BM attribute on all root ports before their
> drivers have had the opportunity to do this cleanly.

Yes, whether this causes problems is going to be influenced by the
behaviour of the hardware on the system. That's why I'm not defaulting
it to being enabled :)

> One trick we implemented in EDK2 for memory encryption was to do the
> following (Laszlo, mind correcting me here if I am remembering this
> wrong?)
> - create an event X
> - register an AtExitBootServices event that signals event X in its handler
> - in the handler of event X, iterate over all PPBs to clear the bus
> master attribute
> - for bonus points, do the same for the PCIe devices themselves,
> because root ports are known to exist that entirely ignore the BM
> attribute
>
> This way, event X should get handled after all the drivers' EBS event
> handlers have been called.

Can we guarantee that this happens before IOMMU state teardown? I
don't think there's a benefit to clearing the bit on endpoint devices,
if they're malicious they're just going to turn it back on anyway.