Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp125381ybl; Tue, 3 Dec 2019 23:12:36 -0800 (PST) X-Google-Smtp-Source: APXvYqw0oct+30vowybgQzgF5GyaCSLREmdhlLWy1N1uWdEBCa61QZHrc2HYqfBAmVADxlGtlQKR X-Received: by 2002:a05:6830:1309:: with SMTP id p9mr1491509otq.328.1575443556206; Tue, 03 Dec 2019 23:12:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575443556; cv=none; d=google.com; s=arc-20160816; b=XxVdxuMEupRQXqUXe3F1M107aaiNj7Q0AJQcFdxIWqNjrJvWmc2DwcDIgrYECaITjq 6Fhq+xwBhUVhJoc1Zzv1dcmNTN14ooHRZk5fU0i+0HgXzDWmDfyGnCppyoTU1HteSyT3 np68DFoyApGJSf3l7kMWtbw5wf0NZRNtjKLjuHVov3RGiDADcOViwicepA925OyPBhPe oVEfPG84NjPbXsAEbgR1y1nqyHyAZRP4NM994ELn3cyNCkOX40CA49nN5NyxdBl6bj1d evt0KlLm6TUKRouqTenUFXXGeqGz+NomVxodtud8MuvGuR5lL5riqccbowp020nwiTXz h5/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=a3GIPUfE5I/ZyJJRgqWyUDcz6F8Tn8l5oMVwt7sXiPo=; b=q583NXAWQi2w6PxV15A4dW1K1X9Vi8HXIAlZASBNCDU1x5iWIyg1J8eDx/u4V16YgV ApCQrAtSWH9sobzy8itZXFzu1i5u6PWkYC/F5UqggeJj4iXyLZWVJqEMjiFwm/jz9blX ItAGZ1h8zaIIRIVMNiwytEt/4fQiHJ8fbnw80T23PTa5MEdG40ShPSzNEdeMe6MTcecG tEuAC9X/Y5kpUQgDSLbr7uziIcNE7eSFluberQtDUhlCij/t5Ll3VrRgYIN1XBEDp3c+ AAVs0rANYuQWOcTIj1qClLKmVPEYHBcMmYBGhrU/OHtLrrXpahpuSarYUt8XfzcvazS0 DlSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EYkrsiJ2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s1si2680963otr.244.2019.12.03.23.12.24; Tue, 03 Dec 2019 23:12:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EYkrsiJ2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727254AbfLDHLq (ORCPT + 99 others); Wed, 4 Dec 2019 02:11:46 -0500 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:39104 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725958AbfLDHLp (ORCPT ); Wed, 4 Dec 2019 02:11:45 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575443504; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a3GIPUfE5I/ZyJJRgqWyUDcz6F8Tn8l5oMVwt7sXiPo=; b=EYkrsiJ2gPNCRrqnmh6zt8P7DtfyQajaUpPbEDyofmvBp7PN85hlt7c95yOss8krXt3oLO h/wNwaLxstrN1FM+DPU72fYgouUrKm1F8jzlw/vrIJwdM3zqmtn46fTpYYeEEjDX6XMyuv fqighRxYd+NFiSDGBec1EPCewSPy15U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-338-7Dzj02e6PQOVam7-eHRalg-1; Wed, 04 Dec 2019 02:11:41 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F13C418A8CA1; Wed, 4 Dec 2019 07:11:39 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-154.ams2.redhat.com [10.36.116.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2870860C85; Wed, 4 Dec 2019 07:11:37 +0000 (UTC) Subject: Re: [PATCH] [EFI,PCI] Allow disabling PCI busmastering on bridges during boot To: Matthew Garrett , Ard Biesheuvel Cc: linux-efi , the arch/x86 maintainers , linux-pci , Linux Kernel Mailing List References: <20191203004043.174977-1-matthewgarrett@google.com> From: Laszlo Ersek Message-ID: <41cecdd8-f411-00c4-be82-be5d4d13fcb1@redhat.com> Date: Wed, 4 Dec 2019 08:11:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: 7Dzj02e6PQOVam7-eHRalg-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/03/19 20:40, Matthew Garrett wrote: > On Tue, Dec 3, 2019 at 3:54 AM Ard Biesheuvel wrote: > >> There is no reason this shouldn't apply to ARM, but disabling bus >> mastering like that before the drivers themselves get a chance to do >> so is likely to cause trouble. Network devices or storage controllers >> that are still running and have live descriptor rings in DMA memory >> shouldn't get the rug pulled from under their feet like that by >> blindly disabling the BM attribute on all root ports before their >> drivers have had the opportunity to do this cleanly. > > Yes, whether this causes problems is going to be influenced by the > behaviour of the hardware on the system. That's why I'm not defaulting > it to being enabled :) > >> One trick we implemented in EDK2 for memory encryption was to do the >> following (Laszlo, mind correcting me here if I am remembering this >> wrong?) >> - create an event X >> - register an AtExitBootServices event that signals event X in its handler >> - in the handler of event X, iterate over all PPBs to clear the bus >> master attribute >> - for bonus points, do the same for the PCIe devices themselves, >> because root ports are known to exist that entirely ignore the BM >> attribute >> >> This way, event X should get handled after all the drivers' EBS event >> handlers have been called. > > Can we guarantee that this happens before IOMMU state teardown? In OVMF, the handler of "event X" is in the IOMMU driver itself, so it's the IOMMU driver that takes care of blacklisting everything *after* other drivers had a chance to clean up. But in this case, we'd have to insert the PPB clearing *before* the (platform's) IOMMU driver's EBS handler (because the latter is going to deny, not permit, everything); and we can't modify the IOMMU driver. I guess we could install an EBS handler with TPL_NOTIFY (PciIo usage appears permitted at TPL_NOTIFY, from "Table 27. TPL Restrictions"). But: - if the IOMMU driver's EBS handler is also to be enqueued at TPL_NOTIFY, then the order will be unspecified - if a PCI driver sets up an EBS handler at TPL_CALLBACK, then in our handler we could shut down a PPB in front of a device bound by that driver too early. Handling dependencies between event notification functions is a never-ending struggle in UEFI, AFAICT. > I don't think there's a benefit to clearing the bit on endpoint devices, > if they're malicious they're just going to turn it back on anyway. > Thanks Laszlo