Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp76785pxb; Tue, 12 Jan 2021 20:44:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJxz5pS61xDLgh0iapxw85Qnyj04SyoLMOGvurO1j6lYr01vhq/edsHrDD1CJEgslYpA6zmY X-Received: by 2002:a05:6402:a53:: with SMTP id bt19mr332639edb.104.1610513040131; Tue, 12 Jan 2021 20:44:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610513040; cv=none; d=google.com; s=arc-20160816; b=V6zxJx+vix5Nr8Vf5BKyiZJtRFt8ROjYuq7DK9TsECRA59w6ld2gq/1uXlCGZj3c8K K9dIsfBq3OmOPGfGlTwRNSLw7WcNGvjKYcI+j4Bqc2IRm4klxcUMEkqfYHZQaMwS1UVs IT+HTGaW3jHDTL94FA2w7eoB+d35fTH+C9YQNdQ/bhY85Q6y1p2s3BrYYqGM38Ss0JAf T04FIzPIK+vqZ+5/NKKs+UzmJzKIRoJCOqBxDGFO6VlZ57hNVnIVKnsU59KwWNk58dsx JKEBawf6k8iVt91NfgZLNNDGCFSu4xlkGX2Kq7VR9UVV2j60L/t2iMTs11U5SshuaM9g 0sVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=KvQ2yMS8fLkXK342PvW0uslM8ZlXd39fo1Po12xDqaQ=; b=r2jB7FDogbA60Pz74h2GOQji9zoAg7/NLtq508hMQIgx9/1J0loLwlNFRUBeoa/iK3 UWU38I/zbrk9EHvD8TpYiEu0id9YPsAe/SYhdoRrwX20aIXDpqwaRHKhqsIJJLIXYtIh lN/Xl8GD7lSUreaFimx8ueJMiXD0OWr593pzmZipkgRyxQpcHYAz3FzFdRTSNq8rh1nm Rb2gPNSDfY87Xaco/g27AGuGz19drskltcZ2fWUQTWvX4XV5z5oDNtRev/1/S+olbq9m 6dv7pV4mi0tmPPIzWtrrmy8VJx/fTYb6Ec3dQHkjIqihZSiTUaEpN/LEsaUbuSUs6t2d YR3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=avdfFgTk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id si7si391179ejb.5.2021.01.12.20.43.35; Tue, 12 Jan 2021 20:44:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=avdfFgTk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725833AbhAMEmX (ORCPT + 99 others); Tue, 12 Jan 2021 23:42:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725372AbhAMEmX (ORCPT ); Tue, 12 Jan 2021 23:42:23 -0500 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24E8FC061575; Tue, 12 Jan 2021 20:41:43 -0800 (PST) Received: by mail-pf1-x435.google.com with SMTP id a188so457024pfa.11; Tue, 12 Jan 2021 20:41:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=KvQ2yMS8fLkXK342PvW0uslM8ZlXd39fo1Po12xDqaQ=; b=avdfFgTkaBibOVpcEf2XR+8TzRftglYeCpXQi8+D1HMwpIOkD7NkRtIUsc8mUk0s2Z uB+NCl2ETqVqZu0HEWsAPxXGOJfklLqHqylL8JLnPkGURCT0Rr91r3d22C9ChX+4xOUa 0+/zxN+7tE3QoOiYsE/ZQ/wPF/VA588kdPh0Ougg38W4Cv/AoTVa0JYnRMmr2WARDcHl v8fvvCq6DsKX5OdSGhN1HNKIz8q3cbU17isYsDfTtguubxnD10O9uu6ccz3Y/qgusZpl Cud+aVxghpfL6SrKtq34b4bAKNxgGqnLbGXPQtA6+DGdpIMhLyHHFSzJVWpdKkBqK0hF 2NWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=KvQ2yMS8fLkXK342PvW0uslM8ZlXd39fo1Po12xDqaQ=; b=PlhbUYofVmINIadjR02ZEghs/zaf0AbmzigoDesj97eq2GetIGGw+CjrGKMtjsJhGI I4kP4ba9y+0jA6KvUKq9NiQF8GLVu/xe1gB5xjTOUDlu/xN33khIs0b3EOnRjbs1Ey0a JHogjB4659KIm3wFSljKYFFwwVReowZJMaDZaBspzUqQwExvMQqsnza6QX55kiODOO8V kvbxqva2b3MdXNTHArmWI07KvWKcHoXTycubNZLchDAioThT+KvxAOIgtkPIkAFDLC1g 4yQwHhTbc/kqU9P43pWv59Gm9vq/LAOLytB+FtpdKc6yZM93VwWJC7WcwGgg3nDpBi+V raeQ== X-Gm-Message-State: AOAM533P6qzu9Pup0ucg1MOVGuD64GnZ1AjbdrnUu+xBHKOG7GuTlLyK z7zlxDKuEHx2hk18133FDCo= X-Received: by 2002:a63:e108:: with SMTP id z8mr315659pgh.363.1610512902499; Tue, 12 Jan 2021 20:41:42 -0800 (PST) Received: from [192.168.1.67] (99-44-17-11.lightspeed.irvnca.sbcglobal.net. [99.44.17.11]) by smtp.gmail.com with ESMTPSA id 6sm769816pfj.216.2021.01.12.20.41.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Jan 2021 20:41:41 -0800 (PST) Subject: Re: [RFC PATCH v3 0/6] Restricted DMA To: Tomasz Figa Cc: Claire Chang , Rob Herring , mpe@ellerman.id.au, benh@kernel.crashing.org, paulus@samba.org, "list@263.net:IOMMU DRIVERS" , Joerg Roedel , Will Deacon , Frank Rowand , Konrad Rzeszutek Wilk , boris.ostrovsky@oracle.com, jgross@suse.com, sstabellini@kernel.org, Christoph Hellwig , Marek Szyprowski , Robin Murphy , grant.likely@arm.com, xypron.glpk@gmx.de, Thierry Reding , mingo@kernel.org, bauerman@linux.ibm.com, peterz@infradead.org, Greg KH , Saravana Kannan , "Rafael J . Wysocki" , heikki.krogerus@linux.intel.com, Andy Shevchenko , Randy Dunlap , Dan Williams , Bartosz Golaszewski , linux-devicetree , lkml , linuxppc-dev@lists.ozlabs.org, xen-devel@lists.xenproject.org, Nicolas Boichat , Jim Quinlan References: <20210106034124.30560-1-tientzu@chromium.org> <78871151-947d-b085-db03-0d0bd0b55632@gmail.com> <23a09b9a-70fc-a7a8-f3ea-b0bfa60507f0@gmail.com> From: Florian Fainelli Message-ID: <7fe99ad2-79a7-9c8b-65ce-ce8353e9d9bf@gmail.com> Date: Tue, 12 Jan 2021 20:41:24 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/12/2021 8:25 PM, Tomasz Figa wrote: > On Wed, Jan 13, 2021 at 12:56 PM Florian Fainelli wrote: >> >> >> >> On 1/12/2021 6:29 PM, Tomasz Figa wrote: >>> Hi Florian, >>> >>> On Wed, Jan 13, 2021 at 3:01 AM Florian Fainelli wrote: >>>> >>>> On 1/11/21 11:48 PM, Claire Chang wrote: >>>>> On Fri, Jan 8, 2021 at 1:59 AM Florian Fainelli wrote: >>>>>> >>>>>> On 1/7/21 9:42 AM, Claire Chang wrote: >>>>>> >>>>>>>> Can you explain how ATF gets involved and to what extent it does help, >>>>>>>> besides enforcing a secure region from the ARM CPU's perpsective? Does >>>>>>>> the PCIe root complex not have an IOMMU but can somehow be denied access >>>>>>>> to a region that is marked NS=0 in the ARM CPU's MMU? If so, that is >>>>>>>> still some sort of basic protection that the HW enforces, right? >>>>>>> >>>>>>> We need the ATF support for memory MPU (memory protection unit). >>>>>>> Restricted DMA (with reserved-memory in dts) makes sure the predefined memory >>>>>>> region is for PCIe DMA only, but we still need MPU to locks down PCIe access to >>>>>>> that specific regions. >>>>>> >>>>>> OK so you do have a protection unit of some sort to enforce which region >>>>>> in DRAM the PCIE bridge is allowed to access, that makes sense, >>>>>> otherwise the restricted DMA region would only be a hint but nothing you >>>>>> can really enforce. This is almost entirely analogous to our systems then. >>>>> >>>>> Here is the example of setting the MPU: >>>>> https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/mediatek/mt8183/drivers/emi_mpu/emi_mpu.c#L132 >>>>> >>>>>> >>>>>> There may be some value in standardizing on an ARM SMCCC call then since >>>>>> you already support two different SoC vendors. >>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Broadcom STB SoCs we have had something similar for a while however >>>>>>>> and while we don't have an IOMMU for the PCIe bridge, we do have a a >>>>>>>> basic protection mechanism whereby we can configure a region in DRAM to >>>>>>>> be PCIe read/write and CPU read/write which then gets used as the PCIe >>>>>>>> inbound region for the PCIe EP. By default the PCIe bridge is not >>>>>>>> allowed access to DRAM so we must call into a security agent to allow >>>>>>>> the PCIe bridge to access the designated DRAM region. >>>>>>>> >>>>>>>> We have done this using a private CMA area region assigned via Device >>>>>>>> Tree, assigned with a and requiring the PCIe EP driver to use >>>>>>>> dma_alloc_from_contiguous() in order to allocate from this device >>>>>>>> private CMA area. The only drawback with that approach is that it >>>>>>>> requires knowing how much memory you need up front for buffers and DMA >>>>>>>> descriptors that the PCIe EP will need to process. The problem is that >>>>>>>> it requires driver modifications and that does not scale over the number >>>>>>>> of PCIe EP drivers, some we absolutely do not control, but there is no >>>>>>>> need to bounce buffer. Your approach scales better across PCIe EP >>>>>>>> drivers however it does require bounce buffering which could be a >>>>>>>> performance hit. >>>>>>> >>>>>>> Only the streaming DMA (map/unmap) needs bounce buffering. >>>>>> >>>>>> True, and typically only on transmit since you don't really control >>>>>> where the sk_buff are allocated from, right? On RX since you need to >>>>>> hand buffer addresses to the WLAN chip prior to DMA, you can allocate >>>>>> them from a pool that already falls within the restricted DMA region, right? >>>>>> >>>>> >>>>> Right, but applying bounce buffering to RX will make it more secure. >>>>> The device won't be able to modify the content after unmap. Just like what >>>>> iommu_unmap does. >>>> >>>> Sure, however the goals of using bounce buffering equally applies to RX >>>> and TX in that this is the only layer sitting between a stack (block, >>>> networking, USB, etc.) and the underlying device driver that scales well >>>> in order to massage a dma_addr_t to be within a particular physical range. >>>> >>>> There is however room for improvement if the drivers are willing to >>>> change their buffer allocation strategy. When you receive Wi-Fi frames >>>> you need to allocate buffers for the Wi-Fi device to DMA into, and that >>>> happens ahead of the DMA transfers by the Wi-Fi device. At buffer >>>> allocation time you could very well allocate these frames from the >>>> restricted DMA region without having to bounce buffer them since the >>>> host CPU is in control over where and when to DMA into. >>>> >>> >>> That is, however, still a trade-off between saving that one copy and >>> protection from the DMA tampering with the packet contents when the >>> kernel is reading them. Notice how the copy effectively makes a >>> snapshot of the contents, guaranteeing that the kernel has a >>> consistent view of the packet, which is not true if the DMA could >>> modify the buffer contents in the middle of CPU accesses. >> >> I would say that the window just became so much narrower for the PCIe >> end-point to overwrite contents with the copy because it would have to >> happen within the dma_unmap_{page,single} time and before the copy is >> finished to the bounce buffer. > > Not only. Imagine this: > > a) Without bouncing: > > - RX interrupt > - Pass the packet to the network stack > - Network stack validates the packet > - DMA overwrites the packet > - Network stack goes boom, because the packet changed after validation > > b) With bouncing: > > - RX interrupt > - Copy the packet to a DMA-inaccessible buffer > - Network stack validates the packet > - Network stack is happy, because the packet is guaranteed to stay the > same after validation Yes that's a much safer set of operations, thanks for walking through a practical example. -- Florian