Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2333019pxb; Thu, 11 Feb 2021 09:42:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJw2HfxTkBnedO46CzUNA64LLxgbyow5e2RKNEQpqzb2pVxsfUbzaS8WGj4snM/k5/WbqV+5 X-Received: by 2002:a17:906:1389:: with SMTP id f9mr9646054ejc.442.1613065323788; Thu, 11 Feb 2021 09:42:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613065323; cv=none; d=google.com; s=arc-20160816; b=QYcQs+yrcLp1idCp7WFCp6ALTNdu/1IeTX+8/qF4lc3jBdqnTPqILjX3z/ObONMFFf tKv0GQ0QDK4KsyafRLSQ9K7VVhsYH8VpEbA8XWArlPJMNN3k5Fnu1Q5PEfnWJyBtVR95 eVahQWnavrxlZbPnrBkZ9ympzU8VJZAfPa7XLsHNh3NtpVshiSS8D/VtDM4lzVE+8sJl MxnwS27Az6jQHAaPx1IoBIC6KceV0aXZcFLfRmbQghIU5nzRehOAAVEQRfYj8G2Iumzy c6xGyJWnDyRKsFjEffDO/nJ1iimFhkSqlKkCjULPy72RHRExAvwLONFJx/o7Sx2wg0QZ 3w4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=TnTqaJo6o1YbIsxOlUU5El2AYFoCRaTMv2k74gwpYCk=; b=yqFt2xEvm8iEcqagk0Ihm9WJ6YbkHxJ2PpKaxyNJVY91IwKE/VkKeq5y7tolnSnnFr 014PASxzmtvIQttibmuutyS9/FxUdXzN3O6skI7rQQ8m7FNKNGeruesHassR7zILdIpv dMfTh8pJmRczUIaYK/5O9is4GmpHl+bxJzIxuRP/J4eQ1X82uFEVr/aBhomie/y74DtM qr+xIELYqfZb+m39V01BJLbvOfD6oNeP4jsYuXKypDjUCoy39vsUzUODjXld1HLgaSLM YDaIgoTqUJWKgO5x15OPFKUJEYTwgGylE8KYnn3duo1142e3K08miOsQ3IOxurgFYfLx iHAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=j7wENnRN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f16si4095675eja.263.2021.02.11.09.41.39; Thu, 11 Feb 2021 09:42:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=j7wENnRN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232250AbhBKRjV (ORCPT + 99 others); Thu, 11 Feb 2021 12:39:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231659AbhBKQod (ORCPT ); Thu, 11 Feb 2021 11:44:33 -0500 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31182C06178B for ; Thu, 11 Feb 2021 08:43:29 -0800 (PST) Received: by mail-qt1-x82d.google.com with SMTP id z32so4592457qtd.8 for ; Thu, 11 Feb 2021 08:43:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TnTqaJo6o1YbIsxOlUU5El2AYFoCRaTMv2k74gwpYCk=; b=j7wENnRNfYfPWqF0G9QGfDUzZk153Z4UQUmIveNotABQDwPIRR70vxmq35a7doUKCZ /HcvOQ86RpZiIANzXlYIfy+cAgGoUtdPhMADXIwhA2mdI+cZmuULVLbyvajkEAzTFDUD HlQENYNoYVeOG5qtbcqxQm6f93n6rMe0lE2Q/7B1Q0BVTLr+Tv6TXhbb4QBf/RUGDOIL jvNkGUYiXZOX9S7SYbN6U7aMi36Jvs+F6dKWmArqhvay3h5S4R8nxzeejQBYTIaCr8Lu 7ak3Pb8RxDoS2+C/OcgfbO/o40kFyaZsGykValmew5XF14xbnK46yn5yPxRz3jn4yz/o OW0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TnTqaJo6o1YbIsxOlUU5El2AYFoCRaTMv2k74gwpYCk=; b=S7uYx7nPq3PPXZ8OcrG1n5Xoq2qY1q949a5T1GAoe2ISSzVgPQaXAro7kjCG0g57BW ozeSBtjP/Und9ZrQIJ8lvtjY1z6hn1mNorKSaveJboM44hAJzFLvcHMehsEvVrwKIIrj gHoBD1TeSCZezyXXRbSrI27+QMjW6wh7yNWMsvupoD0gjsBdUUvEe9QYe/bP8Xcch0NY QDzg8JU/Fas0qvTP+/KFaD0Z6vma5qOCYlAjPhr15qOe2btss1tWmyFBNgKr+oTAPMbr wplEHqq6q6tgytciD3l2jfnnL95MSIIt292MAzUg04sK09mmsvJu9+GtjCWguMphF78h vRQw== X-Gm-Message-State: AOAM533Re8KXck/WDtMlLkmOs3Ck1COQaW56CUZwyPhnF2OiAMxEOmfC BpRRGpE4vHG0L0h4gueg6Ew5nt85bPACLh7HF5OmdA== X-Received: by 2002:ac8:59d6:: with SMTP id f22mr8369890qtf.230.1613061807236; Thu, 11 Feb 2021 08:43:27 -0800 (PST) MIME-Version: 1.0 References: <20210210000259.635748-1-ben.widawsky@intel.com> <20210210000259.635748-6-ben.widawsky@intel.com> In-Reply-To: From: Dan Williams Date: Thu, 11 Feb 2021 08:43:16 -0800 Message-ID: Subject: Re: [PATCH v2 5/8] cxl/mem: Add a "RAW" send command To: Ariel.Sibley@microchip.com Cc: Ben Widawsky , linux-cxl@vger.kernel.org, Linux ACPI , Linux Kernel Mailing List , linux-nvdimm , Linux PCI , Bjorn Helgaas , Chris Browy , Christoph Hellwig , David Hildenbrand , David Rientjes , "Weiny, Ira" , Jon Masters , Jonathan Cameron , Rafael J Wysocki , Randy Dunlap , Vishal L Verma , "John Groves (jgroves)" , Sean V Kelley Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 10, 2021 at 7:27 AM wrote: > > > diff --git a/drivers/cxl/Kconfig b/drivers/cxl/Kconfig > > index c4ba3aa0a05d..08eaa8e52083 100644 > > --- a/drivers/cxl/Kconfig > > +++ b/drivers/cxl/Kconfig > > @@ -33,6 +33,24 @@ config CXL_MEM > > > > If unsure say 'm'. > > > > +config CXL_MEM_RAW_COMMANDS > > + bool "RAW Command Interface for Memory Devices" > > + depends on CXL_MEM > > + help > > + Enable CXL RAW command interface. > > + > > + The CXL driver ioctl interface may assign a kernel ioctl comm= and > > + number for each specification defined opcode. At any given po= int in > > + time the number of opcodes that the specification defines and= a device > > + may implement may exceed the kernel's set of associated ioctl= function > > + numbers. The mismatch is either by omission, specification is= too new, > > + or by design. When prototyping new hardware, or developing / > > debugging > > + the driver it is useful to be able to submit any possible com= mand to > > + the hardware, even commands that may crash the kernel due to = their > > + potential impact to memory currently in use by the kernel. > > + > > + If developing CXL hardware or the driver say Y, otherwise say= N. > > Blocking RAW commands by default will prevent vendors from developing use= r space tools that utilize vendor specific commands. Vendors of CXL.mem dev= ices should take ownership of ensuring any vendor defined commands that cou= ld cause user data to be exposed or corrupted are disabled at the device le= vel for shipping configurations. What follows is my personal opinion as a Linux kernel developer, not necessarily the opinion of my employer... Aside from the convention that new functionality is always default N it is the Linux distributor that decides the configuration. In an environment where the kernel is developing features like CONFIG_SECURITY_LOCKDOWN_LSM that limit the ability of the kernel to subvert platform features like secure boot, it is incumbent upon drivers to evaluate what they must do to protect platform integrity. See the ongoing tightening of /dev/mem like interfaces for an example of the shrinking ability of root to have unfettered access to all platform/hardware capabilities. CXL is unique in that it impacts "System RAM" resources and that it interleaves multiple devices. Compare this to NVME where the blast radius of misbehavior is contained to an endpoint and is behind an IOMMU. The larger impact to me increases the responsibility of CXL enabling to review system impacts and vendor specific functionality is typically unreviewable. There are 2 proposals I can see to improve the unreviewable problem. First, of course, get commands into the standard proper. One strawman proposal is to take the "Code First" process that seems to be working well for the ACPI and UEFI working groups and apply it to CXL command definitions. That vastly shortens the time between proposal and Linux enabling. The second proposal is to define a mechanism for de-facto standards to develop. That need I believe was the motivation for "designated vendor-specific" in the first instance? I.e. to share implementations across vendors pre-standardization. So, allocate a public id for the command space, publish a public specification, and then send kernel patches. This was the process for accepting command sets outside of ACPI into the LIBNVDIMM subsystem. See drivers/acpi/nfit/nfit.h for the reference to the public command sets.