Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4051776pxb; Mon, 1 Feb 2021 11:04:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxV54OYjO4u9RT/T2D3ysUuYR0chPVL1BAfPs38WGieG3fqMnF7d6GhgaAB0Exv1IzLzqUx X-Received: by 2002:a17:906:c9cc:: with SMTP id hk12mr19587010ejb.134.1612206280263; Mon, 01 Feb 2021 11:04:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612206280; cv=none; d=google.com; s=arc-20160816; b=BYO5tI0hNzUJJJ3Bpvr8YoPolts6A+B/EXJepd2gbKe+RgX2+X9nMPjeCZAcDJs5kI b7y94RXZD0ZsCLiJni+eMUcDe0EBSqiMW3vCT7FYeJrhGHHBEcGpI1MdiNR8dfgtOCVX 70V70lfGvwjIw64/+5CK0ymkjqvam/lgR/q0tsruGnBLS4b4ktX78L+LjKJN0hGbs9dm 48/zazu7b82CEzxld7nkfCSjTTHdlkIeC64srJ0P35UyieguCkEj0+6MFstf0vLyJOVw H4Ebhny2lQYc5xJt3BQXCsHmvpv+dXGgvuhGmV/uAXm7mYIPVTeT0TPdkUgKrOsmGKk5 lG6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=C4j8R2NWjOWWuVLjBbyJdPlrlZ/j8TvzFIyUEA+Ndu8=; b=Jdap2LEd/yrOeR2c+OEw9RzO8/jLBZZnN0T75YCg3in+xhUBYB6VTGxzx6LZBZN1hO u0peWinVaePpzTBaby6Qp9OBRloLPjRcN0bceyPiOxC497eWlwhIH5iecI8tQgXLTjvR 5ZDJLD+ptwjgO1lI1p4G8/rMy/0TpY2xNpBG+F1DwCVOo3CxCYgpMgThR+Slk/mHBCGZ 2fDVVL6sTQ6gEKKsZbuHMU23t1mJwu7wJ8S/E/hIeSn6LhohrRvfP3DTpXg9g4vVFJ9B QLwnpWfekoDjNE73pzJaz5nzlaezG4l64RCZbRLRBddhR4wNifsNo+yNLaYzdOALTCn2 4cMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=nyzwIexS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p12si4824721ejz.196.2021.02.01.11.04.08; Mon, 01 Feb 2021 11:04:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=nyzwIexS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231184AbhBATCE (ORCPT + 99 others); Mon, 1 Feb 2021 14:02:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230055AbhBATBz (ORCPT ); Mon, 1 Feb 2021 14:01:55 -0500 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1825EC0613D6 for ; Mon, 1 Feb 2021 11:01:15 -0800 (PST) Received: by mail-ed1-x52f.google.com with SMTP id z22so20127749edb.9 for ; Mon, 01 Feb 2021 11:01:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C4j8R2NWjOWWuVLjBbyJdPlrlZ/j8TvzFIyUEA+Ndu8=; b=nyzwIexSmOjDJ+JcSNBcdEk6/yXwTc3YKKDydwVmgfPbkLgTinbZm6+ykK0VQzEtXd 2FGnsXVks/jQjS4fLAnBKnK11OSqp97qHKPP7ZUqdq9zaUFinHt8zs2HO+5Snar6F84v 5kZW9qoTEN+59FePDotW3jAP0kx+s2AOE3I3aKrRS257mRb/6+u9GsKidEMKfGro142s DWpsafh0uFz0iMyedBmo8mVT7/beWRMM3ciL+gitIiUzkwCc6LH/5iwE8X/spV3q0Kbs nPUT/vZZ8B2SFP534Z/VBodBdcFAo7cIr+SWbdYD0ZsBKkAsg8VJmh6BVUYFFwT3Dh2D +6LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C4j8R2NWjOWWuVLjBbyJdPlrlZ/j8TvzFIyUEA+Ndu8=; b=YhTddVWYjPZ+gzUbs+9w5p+0XH3zNXevFv1Ny/6grEbByB4aGkRp27BbvZo10v2rpn QWO3+7zMrsOQFS0b923b1I5Z/+qpbbRiuiMt4rQbo1a+K5CbHfoFUbuEAcRMIozZnLGu X615gPMlJ6/ly8/2JnUtW4suUl2T7a1Snh1dpFrEMXXcmTNwNhIV+ill1sUcGPCCdI91 qnZugZl1K0tF7XFo6oPsRfPNbv0jsicHbkF65h4uCBSDKgyhFLRJB5tkXI7+yqyTP6Jb sagFpXvxpiWKhFQPIdM77yxmy11N3e59CYHmalyE5PQJb0jomb2MOSWB8bc9vm1LBF9x sdcA== X-Gm-Message-State: AOAM532lpnC972Ku4gyS15Eico2mwuNwmGyZL/o29ai3I9YdNky/1/jX wTnc+fCRIuK/a7OIdt//P55Qso68/k0Rl9+FaLcQvg== X-Received: by 2002:aa7:cd87:: with SMTP id x7mr21185852edv.210.1612206073657; Mon, 01 Feb 2021 11:01:13 -0800 (PST) MIME-Version: 1.0 References: <20210130002438.1872527-1-ben.widawsky@intel.com> <20210130002438.1872527-9-ben.widawsky@intel.com> <20210201181845.GJ197521@fedora> <20210201183455.3dndfwyswwvs2dlm@intel.com> In-Reply-To: <20210201183455.3dndfwyswwvs2dlm@intel.com> From: Dan Williams Date: Mon, 1 Feb 2021 11:01:11 -0800 Message-ID: Subject: Re: [PATCH 08/14] taint: add taint for direct hardware access To: Ben Widawsky Cc: Konrad Rzeszutek Wilk , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Christoph Hellwig , Ira Weiny , Jon Masters , Jonathan Cameron , Rafael Wysocki , Randy Dunlap , Vishal Verma , daniel.lll@alibaba-inc.com, "John Groves (jgroves)" , "Kelley, Sean V" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 1, 2021 at 10:35 AM Ben Widawsky wrote: > > On 21-02-01 13:18:45, Konrad Rzeszutek Wilk wrote: > > On Fri, Jan 29, 2021 at 04:24:32PM -0800, Ben Widawsky wrote: > > > For drivers that moderate access to the underlying hardware it is > > > sometimes desirable to allow userspace to bypass restrictions. Once > > > userspace has done this, the driver can no longer guarantee the sanctity > > > of either the OS or the hardware. When in this state, it is helpful for > > > kernel developers to be made aware (via this taint flag) of this fact > > > for subsequent bug reports. > > > > > > Example usage: > > > - Hardware xyzzy accepts 2 commands, waldo and fred. > > > - The xyzzy driver provides an interface for using waldo, but not fred. > > > - quux is convinced they really need the fred command. > > > - xyzzy driver allows quux to frob hardware to initiate fred. > > > > Would it not be easier to _not_ frob the hardware for fred-operation? > > Aka not implement it or just disallow in the first place? > > Yeah. So the idea is you either are in a transient phase of the command and some > future kernel will have real support for fred - or a vendor is being short > sighted and not adding support for fred. > > > > > > > > - kernel gets tainted. > > > - turns out fred command is borked, and scribbles over memory. > > > - developers laugh while closing quux's subsequent bug report. > > > > Yeah good luck with that theory in-the-field. The customer won't > > care about this and will demand a solution for doing fred-operation. > > > > Just easier to not do fred-operation in the first place,no? > > The short answer is, in an ideal world you are correct. See nvdimm as an example > of the real world. > > The longer answer. Unless we want to wait until we have all the hardware we're > ever going to see, it's impossible to have a fully baked, and validated > interface. The RAW interface is my admission that I make no guarantees about > being able to provide the perfect interface and giving the power back to the > hardware vendors and their driver writers. > > As an example, suppose a vendor shipped a device with their special vendor > opcode. They can enable their customers to use that opcode on any driver > version. That seems pretty powerful and worthwhile to me. > Powerful, frightening, and questionably worthwhile when there are already examples of commands that need extra coordination for whatever reason. However, I still think the decision tilts towards allowing this given ongoing spec work. NVDIMM ended up allowing unfettered vendor passthrough given the lack of an organizing body to unify vendors. CXL on the other hand appears to have more gravity to keep vendors honest. A WARN splat with a taint, and a debugfs knob for the truly problematic commands seems sufficient protection of system integrity while still following the Linux ethos of giving system owners enough rope to make their own decisions. > Or a more realistic example, we ship a driver that adds a command which is > totally broken. Customers can utilize the RAW interface until it gets fixed in a > subsequent release which might be quite a ways out. > > I'll say the RAW interface isn't an encouraged usage, but it's one that I expect > to be needed, and if it's not we can always try to kill it later. If nobody is > actually using it, nobody will complain, right :D It might be worthwhile to make RAW support a compile time decision so that Linux distros can only ship support for the commands the CXL driver-dev community has blessed, but I'll leave it to a distro developer to second that approach.