Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp121754pxj; Thu, 13 May 2021 23:09:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyJbO2IPceRZrFuLLo461mNIo4j0QSmgmQDLF87Vz2KXJ55SOvZVq2HozTChkNHoCmtdmr3 X-Received: by 2002:a02:8308:: with SMTP id v8mr41878861jag.143.1620972560021; Thu, 13 May 2021 23:09:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620972560; cv=none; d=google.com; s=arc-20160816; b=hsqyjQ3ip4t7PO/RFDoYRr5pohgJ1lKBDywHKNmo/Rvazcue6bTSvYA4o8dKwNoire Yxo1A8P70IabX3vKjXvJFaMxxkk2Keoi3SXAp2V4/yjJHURsDAOt74xyPEOA9v+QWNNF AEYMPYjqxlt75960t5b49ey7L/scOmtBicdlisYmuKoatl+ptfr3hbjFbZRAeJAzS92C NozavT4kMar7DiewcEiXQsB/XH8z3KPvcrUk5TanKmbdScEx0sXpJfQ9MkgTJrgCxh1C spMU0lNsdDg4ffp2QeashnbRykXRiRGlKrwXX0sjwg4F4UAnCzaypPNW2MoCm3AWcKk1 zMnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zdaEM0ON7dQpiFlQC2MX8fS7tFjVU+eRgp02YMvQRpE=; b=Z80u3J3WrMvgnQl3uH4xrvFfO3RUSq0KlzrYUeI934rAQiu2/VXcHe17+3Im2rCf5D BmPu63o5+LZ+IrML9MVUberlv4b8HbzYSNaEUaGREQuX8Rl+6hQQMm7UDi2YPjFXOxwM d/YcGm9KzVfWE4DcVGEXLUG0UzIgpJdZKDEE6zXitdARC6QfTeyooneKzIHYp2YymTIu a8KwNaNuVcOp5Z0fjY0ns6KZgq/edHTUnR0NAa1PSQuOj91V2QwJ1JOSepKtG1J7uoZK xNgwiY3BYVC9ghppWKEW9UhgICsN6PvmdGQiao++yei2P0Wf6VD9za24Hjys0sIDA4RO AUwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZkvfYrC9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a23si6493088jap.18.2021.05.13.23.09.06; Thu, 13 May 2021 23:09:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ZkvfYrC9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231519AbhEMR5c (ORCPT + 99 others); Thu, 13 May 2021 13:57:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231523AbhEMR44 (ORCPT ); Thu, 13 May 2021 13:56:56 -0400 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5540C061760 for ; Thu, 13 May 2021 10:55:24 -0700 (PDT) Received: by mail-lf1-x130.google.com with SMTP id h4so39743213lfv.0 for ; Thu, 13 May 2021 10:55:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zdaEM0ON7dQpiFlQC2MX8fS7tFjVU+eRgp02YMvQRpE=; b=ZkvfYrC9VP8wOYhxR6XUUPvLtpuvnHHaWEwfH/GvvNi4ko7hdEgEvhpI8MVVZZhODM s8u4iHRE6RO6S2Z6AynjymUXNUK/jTnJ+6OGBF6ifJjO0tdfD3he7QdtPHGA2FFATnDP RSBX9q9VzC/N30ezYCSb7DpjS6wJ096Tjye2c5n4o+yVuLO5l3W+yUYNH8yO+xpk9HTN k5TKUmR3LVnLYQ1YnuNQi8FDHZtkEiDuVN1sUXS+AdiTTuAueqIhF2sajVclqWCvHbHa vHgdq/IXAdvoAebVbLMv9d+K/6mC72hDmCTn70S3UbwGYWGnxWINHlbyGlYEjwd4xcdG Q4jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zdaEM0ON7dQpiFlQC2MX8fS7tFjVU+eRgp02YMvQRpE=; b=dY9Nnq+aI4ygxxClTmZFF/SBRHOlx1ZvcXBObu/2zj/QlrzwybXZGOweWM+tV440I9 5iWNQ8/BKpQ+3x4lIPBTtyu68KLfbaViC7WROA4yhXQgjSlOgrWkbSz/ga107BgySt03 XNbz1E1GZScDrWMTd51rTATroLqDIo1bUEJ0DJsW6GonXhOXH7APCQBpLkInDosOBdmv 6/Jg0eYOf2mmgX4LUujiD2TbrnJjc4DS2iamwRfOo17KuNJpC+oxck7mqZDAVqJIeC0G FeZjsNWR2kujMtxyyezT9CIJJ10Taw1M7xms1BYxq2EPN4AGnraGFacneWSNcVrHO2UU Qegw== X-Gm-Message-State: AOAM5302lJHwNWj2jGAc77GRHg3nw1XSfB0sLAaSJpH2V99td42eINqL 8opxpj4GOeSZ9zl7Q8Bjxt5SEDp3OsQzKJj0+67Yqt5Fdg1QqA== X-Received: by 2002:ac2:414e:: with SMTP id c14mr30376645lfi.155.1620928522965; Thu, 13 May 2021 10:55:22 -0700 (PDT) MIME-Version: 1.0 References: <20210512213457.1310774-1-rajatja@google.com> <20210512213457.1310774-2-rajatja@google.com> In-Reply-To: From: Rajat Jain Date: Thu, 13 May 2021 10:54:47 -0700 Message-ID: Subject: Re: [PATCH v3 2/2] PCI: Add sysfs "removable" attribute To: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" , Bjorn Helgaas , Alan Stern , Linux Kernel Mailing List , linux-pci , "open list:ULTRA-WIDEBAND (UWB) SUBSYSTEM:" , Bjorn Helgaas , Oliver Neukum , David Laight , =?UTF-8?Q?Krzysztof_Wilczy=C5=84ski?= , Rajat Jain , Jesse Barnes , Dmitry Torokhov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 13, 2021 at 10:42 AM Greg Kroah-Hartman wrote: > > On Thu, May 13, 2021 at 09:39:58AM -0700, Rajat Jain wrote: > > Hello, > > > > On Thu, May 13, 2021 at 6:58 AM Greg Kroah-Hartman > > wrote: > > > > > > On Wed, May 12, 2021 at 02:34:57PM -0700, Rajat Jain wrote: > > > > A PCI device is "external_facing" if it's a Root Port with the ACPI > > > > "ExternalFacingPort" property or if it has the DT "external-facing" > > > > property. We consider everything downstream from such a device to > > > > be removable by user. > > > > > > > > We're mainly concerned with consumer platforms with user accessible > > > > thunderbolt ports that are vulnerable to DMA attacks, and we expect those > > > > ports to be identified as "ExternalFacingPort". Devices in traditional > > > > hotplug slots can technically be removed, but the expectation is that > > > > unless the port is marked with "ExternalFacingPort", such devices are less > > > > accessible to user / may not be removed by end user, and thus not exposed > > > > as "removable" to userspace. > > > > > > > > Set pci_dev_type.supports_removable so the device core exposes the > > > > "removable" file in sysfs, and tell the device core about removable > > > > devices. > > > > > > > > This can be used by userspace to implment any policies it wants to, > > > > tailored specifically for user removable devices. Eg usage: > > > > https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2591812 > > > > https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2795038 > > > > (code uses such an attribute to remove external PCI devicces or disable > > > > features on them as needed by the policy desired) > > > > > > > > Signed-off-by: Rajat Jain > > > > --- > > > > v3: - commit log updated > > > > - Rename set_pci_dev_removable() -> pci_set_removable() > > > > - Call it after applying early PCI quirks. > > > > v2: Add documentation > > > > > > > > Documentation/ABI/testing/sysfs-devices-removable | 3 ++- > > > > drivers/pci/pci-sysfs.c | 1 + > > > > drivers/pci/probe.c | 12 ++++++++++++ > > > > 3 files changed, 15 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/Documentation/ABI/testing/sysfs-devices-removable b/Documentation/ABI/testing/sysfs-devices-removable > > > > index 9dabcad7cdcd..ec0b243f5db4 100644 > > > > --- a/Documentation/ABI/testing/sysfs-devices-removable > > > > +++ b/Documentation/ABI/testing/sysfs-devices-removable > > > > @@ -14,4 +14,5 @@ Description: > > > > > > > > Currently this is only supported by USB (which infers the > > > > information from a combination of hub descriptor bits and > > > > - platform-specific data such as ACPI). > > > > + platform-specific data such as ACPI) and PCI (which gets this > > > > + from ACPI / device tree). > > > > diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c > > > > index beb8d1f4fafe..38b3259ba333 100644 > > > > --- a/drivers/pci/pci-sysfs.c > > > > +++ b/drivers/pci/pci-sysfs.c > > > > @@ -1541,4 +1541,5 @@ static const struct attribute_group *pci_dev_attr_groups[] = { > > > > > > > > const struct device_type pci_dev_type = { > > > > .groups = pci_dev_attr_groups, > > > > + .supports_removable = true, > > > > }; > > > > diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c > > > > index 3a62d09b8869..3515afeeaba8 100644 > > > > --- a/drivers/pci/probe.c > > > > +++ b/drivers/pci/probe.c > > > > @@ -1575,6 +1575,16 @@ static void set_pcie_untrusted(struct pci_dev *dev) > > > > dev->untrusted = true; > > > > } > > > > > > > > +static void pci_set_removable(struct pci_dev *dev) > > > > +{ > > > > + struct pci_dev *parent = pci_upstream_bridge(dev); > > > > + if (parent && > > > > + (parent->external_facing || dev_is_removable(&parent->dev))) > > > > + dev_set_removable(&dev->dev, DEVICE_REMOVABLE); > > > > + else > > > > + dev_set_removable(&dev->dev, DEVICE_FIXED); > > > > +} > > > > > > Always run checkpatch.pl so you don't get grumpy maintainers telling you > > > to run checkpatch.pl :( > > > > Yes, I did (it gave me 0 errors and 0 warnings). Please let me know if > > I need to fix something and I'll be happy to fix that. > > > > > > > > And why does external_facing come into play here? I know you say it > > > above, but you should also put it here into the code for when we need to > > > look at it in a few months and wonder what in the world this is doing. > > > > Ack, will do. > > > > > > > > Also, are you SURE this is correct and will handle the hotpluggable PCI > > > devices in things like drawers and the like? > > > > Yes, me and Bjorn discussed this in the v2 of this patch > > (https://patchwork.kernel.org/project/linux-usb/patch/20210424021631.1972022-2-rajatja@google.com/), > > and yes, this can take care of the hot-pluggable trays if the firmware > > marks the slots external-facing. > > Ok, I'll trust you two :) > > > > What is the goal here in exposing this information to userspace, who is > > > going to use it and what is it going to be used for? > > > > The goal here is to implement policies regarding usage of external PCI > > devices, in userspace. ChromeOS is using it for things like: > > - Remove external PCI devices when a user logs out. > > remove them how? disconnect the device from the system through what > method? echo 1 > /sys/bus/pci/devices//remove > > > - Don't allow new external PCI devices while the screen is locked. > > Don't allow how? Don't allow the binding of a driver to a device, or > the device to be discovered at all? What controls this? Actually Sorry, this was a wrong recollection. > > > - collect metrics about usage of external PCI devices (how many users > > actually use it etc). > > - disable certain features (that are deemed to be dangerous) for > > external PCI network cards. > > What is a "dangerous" network feature, RDMA? For now, we disable offloading of receive path generic / segmentation / checksum features to the external PCI hardware, based on our security team's recommendations. Thanks, Rajat > > thanks, > > greg k-h