Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp320799pxb; Thu, 21 Jan 2021 07:56:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJxvVCw2qEw18ngxGMykQY2ul09kwO7XVyymJ3HRrJMPlr7BOiGEIBzXtIc3WajHC7h5pYLS X-Received: by 2002:a17:906:369a:: with SMTP id a26mr92299ejc.276.1611244562851; Thu, 21 Jan 2021 07:56:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611244562; cv=none; d=google.com; s=arc-20160816; b=Qf91iL0GA3tFY+xOmX1ZPn4GfD23pVbIbNsze+ApU0FpFebzbrqK0XdQd6ToO3u1rh YZt3RibrGGP0Icwuy4VTJbz9e43D+zDryoTfAr7kNnv6+BITI5GbMkDiBb/QWdVeeYYE 7i8EcIUu3qe05jMZF7CcjyM2eHPEO/T0Mw0Sl2M9yrE//vBO3a86hFjp6vWtAhvQywaW VeQ8bTNTnC87FBbLeT3NqKkpgPfxZpjViYaPMJ2E2gX4UoEQoGpTiM1GD0KyJoREoVFF 985gpde2RZMBVQe1MSEwVuGO3OnIfvhGdrYHgctQFeJNd3wXFa3oFSOiFu3vSjs5RQLo /cUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ESCY3rt1UpVAToMmeAThDINvSacKiOsK2nc/NRoNF9g=; b=cgJ/yfUYvfBsUrZcrdCbGEjXydvX0HJM3lNbWYcSI2EMBBKcgFXjBFo4yuNSGcMOfF okGk4B2/teJn1Medixz6+j0hAwKo7lc7KeoRNJ4TC04qRCIvFYY1kzOnaJj/aixGZMbc MNrOo18Fy0CRgBgPmKftWzf/484J4b0LLty5PUKveFzLmRyXI0h9M/m5j8I+k/R4dqpg Wh2X8TDyvnSA5uq+cK0E0GF3PffJRSL8dl1NccxxwV/QtFaqqB04R3TIZn4ng2w/Cs8h YG3tFfH7FGuZBrNksh3NO1UQkbGkgcihkSuODSEo+fPvCKEZ+kDwi1QqyLmO6ny6RFmI PO9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LCFe42rT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co11si425497edb.211.2021.01.21.07.55.33; Thu, 21 Jan 2021 07:56:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=LCFe42rT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387467AbhAUPvV (ORCPT + 99 others); Thu, 21 Jan 2021 10:51:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:50636 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387592AbhAUPs7 (ORCPT ); Thu, 21 Jan 2021 10:48:59 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0929723A5E; Thu, 21 Jan 2021 15:48:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1611244098; bh=ESCY3rt1UpVAToMmeAThDINvSacKiOsK2nc/NRoNF9g=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=LCFe42rTpo0PlaukO40aoasQL5/Qys43MShy5ZOg+JcG27AZaNRJ4cHu3ZE/cf8rR HIq5i0dftrTxshUnv+icHC5DHyTHfgXx2miR6yKQvenRHR5EcVuOpasmEc7yPQPVKD cwEyOANH8KznmYsj7P/LmxN8ew+znCkYwD6N0a4Tn3GZxCRNczrWFg3Bw2fLc+J8b0 mk+EobIZoCcxbqX8JNLKcWwjnfwQR3O98R8GTEtgLU8u20ZLIEKiWn8pxnDTKeDO9I oRgIbCp6Cch6hzf1mS9uVrtxlnUuCLlYvc71A4V2HcSXBy2GIVc5mXErflL3r+khjI CV+PqF7WZ5l5A== Received: by mail-lf1-f51.google.com with SMTP id q12so3121811lfo.12; Thu, 21 Jan 2021 07:48:17 -0800 (PST) X-Gm-Message-State: AOAM5331vcJOl/amW0j3d0GT9m1oztV2dB7L5jgF4g8I93bhnRUeIGGz MtSWYtbAV/o/mmn6YNmHzmEQxqkjWO3L77uRxg== X-Received: by 2002:a17:906:958f:: with SMTP id r15mr70711ejx.360.1611244095545; Thu, 21 Jan 2021 07:48:15 -0800 (PST) MIME-Version: 1.0 References: <20210106034124.30560-1-tientzu@chromium.org> <20210106034124.30560-6-tientzu@chromium.org> <20210120165348.GA220770@robh.at.kernel.org> <313f8052-a591-75de-c4c2-ee9ea8f02e7f@arm.com> In-Reply-To: From: Rob Herring Date: Thu, 21 Jan 2021 09:48:03 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v3 5/6] dt-bindings: of: Add restricted DMA pool To: Robin Murphy Cc: Claire Chang , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Joerg Roedel , Will Deacon , Frank Rowand , Konrad Rzeszutek Wilk , Boris Ostrovsky , Juergen Gross , Stefano Stabellini , Christoph Hellwig , Marek Szyprowski , Grant Likely , Heinrich Schuchardt , Thierry Reding , Ingo Molnar , Thiago Jung Bauermann , Peter Zijlstra , Greg Kroah-Hartman , Saravana Kannan , "Wysocki, Rafael J" , Heikki Krogerus , Andy Shevchenko , Randy Dunlap , Dan Williams , Bartosz Golaszewski , devicetree@vger.kernel.org, "linux-kernel@vger.kernel.org" , linuxppc-dev , Linux IOMMU , xen-devel@lists.xenproject.org, Tomasz Figa , Nicolas Boichat Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 20, 2021 at 7:10 PM Robin Murphy wrote: > > On 2021-01-20 21:31, Rob Herring wrote: > > On Wed, Jan 20, 2021 at 11:30 AM Robin Murphy wrote: > >> > >> On 2021-01-20 16:53, Rob Herring wrote: > >>> On Wed, Jan 06, 2021 at 11:41:23AM +0800, Claire Chang wrote: > >>>> Introduce the new compatible string, restricted-dma-pool, for restricted > >>>> DMA. One can specify the address and length of the restricted DMA memory > >>>> region by restricted-dma-pool in the device tree. > >>> > >>> If this goes into DT, I think we should be able to use dma-ranges for > >>> this purpose instead. Normally, 'dma-ranges' is for physical bus > >>> restrictions, but there's no reason it can't be used for policy or to > >>> express restrictions the firmware has enabled. > >> > >> There would still need to be some way to tell SWIOTLB to pick up the > >> corresponding chunk of memory and to prevent the kernel from using it > >> for anything else, though. > > > > Don't we already have that problem if dma-ranges had a very small > > range? We just get lucky because the restriction is generally much > > more RAM than needed. > > Not really - if a device has a naturally tiny addressing capability that > doesn't even cover ZONE_DMA32 where the regular SWIOTLB buffer will be > allocated then it's unlikely to work well, but that's just crap system > design. Yes, memory pressure in ZONE_DMA{32} is particularly problematic > for such limited devices, but it's irrelevant to the issue at hand here. Yesterday's crap system design is today's security feature. Couldn't this feature make crap system design work better? > What we have here is a device that's not allowed to see *kernel* memory > at all. It's been artificially constrained to a particular region by a > TZASC or similar, and the only data which should ever be placed in that May have been constrained, but that's entirely optional. In the optional case where the setup is entirely up to the OS, I don't think this belongs in the DT at all. Perhaps that should be solved first. > region is data intended for that device to see. That way if it tries to > go rogue it physically can't start slurping data intended for other > devices or not mapped for DMA at all. The bouncing is an important part > of this - I forget the title off-hand but there was an interesting paper > a few years ago which demonstrated that even with an IOMMU, streaming > DMA of in-place buffers could reveal enough adjacent data from the same > page to mount an attack on the system. Memory pressure should be > immaterial since the size of each bounce pool carveout will presumably > be tuned for the needs of the given device. > > > In any case, wouldn't finding all the dma-ranges do this? We're > > already walking the tree to find the max DMA address now. > > If all you can see are two "dma-ranges" properties, how do you propose > to tell that one means "this is the extent of what I can address, please > set my masks and dma-range-map accordingly and try to allocate things > where I can reach them" while the other means "take this output range > away from the page allocator and hook it up as my dedicated bounce pool, > because it is Serious Security Time"? Especially since getting that > choice wrong either way would be a Bad Thing. Either we have some heuristic based on the size or we add some hint. The point is let's build on what we already have for defining DMA accessible memory in DT rather than some parallel mechanism. Rob