Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp803218ybt; Fri, 26 Jun 2020 11:55:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuAnt/XC0gStuliadXcSFY7Cx+UCGClHDNO57uaR01f+IX3JFSyOBYIQQa9jsjPbL34Y+6 X-Received: by 2002:a17:906:1499:: with SMTP id x25mr3777029ejc.406.1593197733700; Fri, 26 Jun 2020 11:55:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593197733; cv=none; d=google.com; s=arc-20160816; b=W32xXIJLaxZgHNmTE8x+hWqmpPv6Lh2oiPioUpI1dafYn/ZadXse3WNprie7+czG97 FkD8eaYI/YeEIqMKSPcOHCx1ZTkO2Rci3lIN2eWrCR5rvIhTdOngGhCW++zPDRObgOpH AmylTTqsoT3jOfNZ9G5KjNuCdrxrR9TkS87DmNtfqLWLV/YG3Ys9HGgp62iSI0jfwMfa gUSiugx7z1KQDl6vEJR2swZW7sBPfZ0cWtkPNSQW9Ci5mCIaGBagjAr4tjHUsj8amFOv Tw5BZOB8O8wIXhZBs0ll8cIPsn4fB6RZ+LCTrrPJHnxVm+rj6D8zr9S0fJEF1xEohrpa uEgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=TyklzFj5dCuXNYg3v7eYVOhPNqVFIXACBXr++QvGvZI=; b=EgltBXuJ/9Hnl5gtaE+nRykLtMaQamgX2BudXB6FNq+9jlHmYKr9eQZIj6/InmFM+D n1aCVP/tUBgAlE6og8NI5WVM22dftb0EidEc+cHrJQiK9cbNzZYvUAycdFuvw8wi8LmQ ZwshZ4/X+c7x/+BuRtQc8wu9avHFViF7DRyBvvUMXZ0nGDpwdVyyZo6xGrV6aSf1aYUe 7y6kagH9Szg9pNZ23y2kH8+XpFnBwIXIrFTIJDmm44oenOGMRPc2viv1U2yzF4tgChvV kv+RfxeonXrdblERlpYa+zueuAbsVvH5lCt5a6pSZC40AlaZVSlfsfllXa+D9HZio7lt DVuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="Q3jSm/c7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qq26si3286258ejb.675.2020.06.26.11.55.09; Fri, 26 Jun 2020 11:55:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="Q3jSm/c7"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725975AbgFZSyR (ORCPT + 99 others); Fri, 26 Jun 2020 14:54:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725935AbgFZSyN (ORCPT ); Fri, 26 Jun 2020 14:54:13 -0400 Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0569C03E97B for ; Fri, 26 Jun 2020 11:54:12 -0700 (PDT) Received: by mail-lj1-x244.google.com with SMTP id q19so11424012lji.2 for ; Fri, 26 Jun 2020 11:54:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TyklzFj5dCuXNYg3v7eYVOhPNqVFIXACBXr++QvGvZI=; b=Q3jSm/c7nM2RMkN/kkJWHeLwAsdboqUxRzth/uSa6NXSM8oXMtiMhj9f8WBol97E5l ky6f/QaC4KZ4YCnTQZ3BF5dIXjlSPV4QoV2wqdt2Mxc0dLVha+jmh1N//dKeYUM0kj/p Cdd4nWsofe4nR1h6Arv8qYj2pSAqwLLlXKo4g4QCtxbm6LC94tNL9HBuchzz8CHS2BAX yl2h1pg/AJIJGgSiC33mfu7Wo9ZAOmNg5sJcT1GNiIaf52Hd/o1vV9XDmSUrR47ulwLj ref9AD+MOaS2oD3rCYWv+1d1sjD/0C8RZj9PYTuYlbI4YRzLWzNCmbCgcQYmWu2Ufvyd PAzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TyklzFj5dCuXNYg3v7eYVOhPNqVFIXACBXr++QvGvZI=; b=NvGGhH5PNAYpC41LcuImlUr3n9jKM/fnVH0paJ/pbxKPNN55sgauWpY8E5lJBRNswA px0cczAU8m8AfgS6C6PqskCon9V5VvDkAPixmBT48w6kdACyElooZkPZyjwAHQWXkbnz zIddY2KxLCQpXr0OCpwAIxVr8JiqAclpmxVsiDLE8B6+MBliifTJHtVTMPdjg8K43klO ykmQyGStIeMUx/ZnDhVrQpPpxvg5HW1ANb43rfWaM1BPkicPq6mgw2m2XF3vpM200XwX SsRRWbH4f0DhQH+V1IETsYSiVX+6OhmGntbZ+LOaOmO5gHtVtjmqCBRCbnOWrc0Iu5Cp eKLQ== X-Gm-Message-State: AOAM531DszH5I1G59tti/n7zjDw+vpHp0JHhw8m38CBsj1fHQFTM8wD3 LXEAwCJym4VOecBQoqX7GAixeteWk4dFrVHl3WJ5Uw== X-Received: by 2002:a2e:858e:: with SMTP id b14mr2218327lji.301.1593197651010; Fri, 26 Jun 2020 11:54:11 -0700 (PDT) MIME-Version: 1.0 References: <20200626002710.110200-1-rajatja@google.com> <20200626002710.110200-2-rajatja@google.com> <20200626141754.GB4141629@kroah.com> In-Reply-To: <20200626141754.GB4141629@kroah.com> From: Rajat Jain Date: Fri, 26 Jun 2020 11:53:34 -0700 Message-ID: Subject: Re: [PATCH 2/2] pci: Add parameter to disable attaching untrusted devices To: Greg Kroah-Hartman Cc: David Woodhouse , Lu Baolu , Joerg Roedel , Bjorn Helgaas , "Rafael J. Wysocki" , Len Brown , iommu@lists.linux-foundation.org, Linux Kernel Mailing List , linux-pci , ACPI Devel Maling List , Raj Ashok , "Krishnakumar, Lalithambika" , Mika Westerberg , Jean-Philippe Brucker , Prashant Malani , Benson Leung , Todd Broch , Alex Levin , Mattias Nissler , Rajat Jain , Bernie Keany , Aaron Durbin , Diego Rivas , Duncan Laurie , Furquan Shaikh , Jesse Barnes , Christian Kellner , Alex Williamson , "Oliver O'Halloran" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Thanks for taking a look. On Fri, Jun 26, 2020 at 7:18 AM Greg Kroah-Hartman wrote: > > On Thu, Jun 25, 2020 at 05:27:10PM -0700, Rajat Jain wrote: > > Introduce a PCI parameter that disables the automatic attachment of > > untrusted devices to their drivers. > > > > Signed-off-by: Rajat Jain > > --- > > Context: > > > > I set out to implement the approach outlined in > > https://lkml.org/lkml/2020/6/9/1331 > > https://lkml.org/lkml/2020/6/15/1453 > > > > But to my surprise, I found that the new hotplugged PCI devices > > were getting automatically attached to drivers even though > > /sys/bus/pci/drivers_autoprobe was set to 0. > > > > I realized that the device core's "drivers_autoprobe": > > > > * only disables the *initial* probe of the device (i.e. from > > device_add()). If a subsystem calls device_attach() explicitly > > for its devices like PCI subsystem does, the drivers_autoprobe > > setting does not matter. The core will attach device to the driver. > > This looks like correct semantic behavior to me because PCI is > > explicitly calling device_attach(), which is a way to explicitly > > ask the core to find and attach a driver for a device. > > > > * "drivers_autoprobe" cannot be controlled at boot time (to restrict > > any drivers before userspace comes up). > > > > The options I considered were: > > > > 1) Change device_attach() so that it takes into consideration the > > drivers_autoprobe property. Not sure if this is semantically correct > > thing to do though. If I do this, then the only way a driver can > > be attached to the drivers would be via userspace > > (/sys/bus/pci/drivers/bind) (Good for our use case though!). > > This is the correct thing to do here, haven't I been asking you do move > this logic into the driver core so that all busses can use it? (please see below) > > > 2) Make the drivers_autoprobe property available to PCI to use > > (currently it is private to device core). The PCI could use this > > to determine whether or not to call device_attach(). This still > > leaves the other problem (of not being able to set > > drivers_autoprobe via command line open). > > Ick, command lines are horrible, don't do that if at all possible. On > some systems they are not able to be changed which can be good or bad... (please see below) > > > 3) I found the pci_dev->match_driver, which seemed similar to what I > > am trying to do, but can't be controlled from userspace. I considered > > populating that field based on drivers_autoprobe (still need (2)). > > But the problem is that there is the AMD IOMMU driver which is setting > > this independently, so setting the match_driver based on > > drivers_autoprobe may not be a good idea. May be we can populate it > > for untrusted devicesi, based on the parameter that I'm introducing? > > > > 4) This patch was my option 4 that helps fix both the problems for me. > > I suggest putting some of the above text in the changelog, as it has a > lot of good context, while your existing changelog is pretty sparse and > does not explain anything... Will do. > > > > > > drivers/pci/bus.c | 11 ++++++++--- > > drivers/pci/pci.c | 9 +++++++++ > > drivers/pci/pci.h | 1 + > > 3 files changed, 18 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c > > index 3cef835b375fd..336aeeb4c4ebf 100644 > > --- a/drivers/pci/bus.c > > +++ b/drivers/pci/bus.c > > @@ -321,9 +321,14 @@ void pci_bus_add_device(struct pci_dev *dev) > > pci_bridge_d3_update(dev); > > > > dev->match_driver = true; > > - retval = device_attach(&dev->dev); > > - if (retval < 0 && retval != -EPROBE_DEFER) > > - pci_warn(dev, "device attach failed (%d)\n", retval); > > + > > + if (dev->untrusted && pci_dont_attach_untrusted_devs) { > > + pci_info(dev, "not attaching untrusted device\n"); > > + } else { > > + retval = device_attach(&dev->dev); > > + if (retval < 0 && retval != -EPROBE_DEFER) > > + pci_warn(dev, "device attach failed (%d)\n", retval); > > + } > > > > pci_dev_assign_added(dev, true); > > } > > diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c > > index ce096272f52b1..dec1f9ef27d71 100644 > > --- a/drivers/pci/pci.c > > +++ b/drivers/pci/pci.c > > @@ -127,6 +127,13 @@ static bool pcie_ats_disabled; > > /* If set, the PCI config space of each device is printed during boot. */ > > bool pci_early_dump; > > > > +/* > > + * If set, the devices with "untrusted" flag shall not be attached automatically > > + * Userspace will need to attach them manually: > > + * echo > /sys/bus/pci/drivers//bind > > + */ > > +bool pci_dont_attach_untrusted_devs; > > + > > bool pci_ats_disabled(void) > > { > > return pcie_ats_disabled; > > @@ -6522,6 +6529,8 @@ static int __init pci_setup(char *str) > > pci_add_flags(PCI_SCAN_ALL_PCIE_DEVS); > > } else if (!strncmp(str, "disable_acs_redir=", 18)) { > > disable_acs_redir_param = str + 18; > > + } else if (!strcmp(str, "dont_attach_untrusted_devs")) { > > + pci_dont_attach_untrusted_devs = true; > > } else { > > pr_err("PCI: Unknown option `%s'\n", str); > > } > > diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h > > index 6d3f758671064..30ffad047d926 100644 > > --- a/drivers/pci/pci.h > > +++ b/drivers/pci/pci.h > > @@ -13,6 +13,7 @@ > > > > extern const unsigned char pcie_link_speed[]; > > extern bool pci_early_dump; > > +extern bool pci_dont_attach_untrusted_devs; > > > > bool pcie_cap_has_lnkctl(const struct pci_dev *dev); > > bool pcie_cap_has_rtctl(const struct pci_dev *dev); > > -- > > 2.27.0.212.ge8ba1cc988-goog > > > > What happened to the split of "trust" and "internal/external" logic that > we discussed before? a) I think what was decided was introducing a device core "location" property that can be exposed to userspace to help it to decide whether or not to attach a driver to a device. Yes, that is still the plan. (Mild sidenote: userspace may not need to distinguish between internal and external devices if it can assume that no internal PCI devices will show up after "echo 0 > /sys/bus/pci/drivers_autoprobe". But nevertheless...) b) Note that even with (a) in place, we still need a parameter that can ensure that drivers are not bound to external devices at boot, *before* userspace gets a chance to disable "drivers_autoprobe". https://lkml.org/lkml/2020/6/15/1453 Is it OK to add such a parameter in device core? Thanks, Rajat > This seems to ignore all of that and go straight > to some form of "we know what we trust, so all is fine!". > > It's not obvious what this is really doing here at all, sorry... > > greg k-h