Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1886050pxj; Fri, 18 Jun 2021 19:18:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3BJpa9dHlOA+qSTVFdfU+3GEGeP5w2VkZySzxpa6kurksAq7xPghsUqwAZhg/1yX3tCJp X-Received: by 2002:a05:6e02:ec3:: with SMTP id i3mr4622099ilk.266.1624069087636; Fri, 18 Jun 2021 19:18:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624069087; cv=none; d=google.com; s=arc-20160816; b=G9S1vS1XRy0YmF6YK5mS9sNGemHGAJDqWFvz8qz7tbd5IcAXYJpsKw/rEGDcXWKLrZ ZHUOiljuczxvqt17tnfOAMQCPP7esls9rtRBHg2LEzRnqO5LQvo675UcX9tG6JiDsK5y NuvqoRbS4QL7cuznxu71QQFxUn6ijciq+srHr6ubEGkW7QBX9OjLEV/v/v+Hm+2BICUa /qSz42hCbN/kNSy9pOOiaIl6pL6kb/11pXB3DP4aFpo3rmQeLC75NZzX7em0uSz/NVEA jJ55F4rTbgsAEX4qo5zp0YGm4BG7bZ8kLEZNpGUjNHIm4rA6zwBJr6pk0XG4kLv9N2Av bgzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=kcnSIGVOikhoDEuCvcYEvLVz1vRJz4tT9dCN0zN1GsQ=; b=L2OX3F2MBXLmCc61ksJgoS/nnM/6stj5GpRz8+qlEYTbJZ10aMRgKajqJL+atAaEWp hkAuicjXXqjFRs9AJhaIDoTC29gZz18oGNWgSWBSJcipiDqZaGYlogVDdyZYz/guuM9w Jywi3446Rhxnmur9UaNVAvx/Ox3LlzaTwNay+BQTnNbx0CzmSxQlC5g65JmjpJqn71dY 454BtEFj0mCf3/dkrxuogEALJOrMgXg39QxDDGtLQZFF88UW1q+bszXzOCLStLjfAhHp aUBMJCeuxqbOFBj35jNXThJ/gfPnji3zMd6HWdCOprAv0HzzKi3B+axxpBkAfLuF/O8v e8iQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b11si5378028ilv.25.2021.06.18.19.17.55; Fri, 18 Jun 2021 19:18:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232182AbhFRSet (ORCPT + 99 others); Fri, 18 Jun 2021 14:34:49 -0400 Received: from foss.arm.com ([217.140.110.172]:45138 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229945AbhFRSer (ORCPT ); Fri, 18 Jun 2021 14:34:47 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 93B121424; Fri, 18 Jun 2021 11:32:34 -0700 (PDT) Received: from [10.57.9.136] (unknown [10.57.9.136]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B0DB93F70D; Fri, 18 Jun 2021 11:32:32 -0700 (PDT) Subject: Re: [PATCH v2 12/12] iommu: Do not allow IOMMU passthrough with Secure Launch To: Ross Philipson , linux-kernel@vger.kernel.org, x86@kernel.org, iommu@lists.linux-foundation.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org Cc: dpsmith@apertussolutions.com, luto@amacapital.net, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, tglx@linutronix.de, trenchboot-devel@googlegroups.com References: <1624032777-7013-1-git-send-email-ross.philipson@oracle.com> <1624032777-7013-13-git-send-email-ross.philipson@oracle.com> From: Robin Murphy Message-ID: <53edcf0e-c094-876c-ac3d-7c9752e9ea99@arm.com> Date: Fri, 18 Jun 2021 19:32:27 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <1624032777-7013-13-git-send-email-ross.philipson@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-06-18 17:12, Ross Philipson wrote: > The IOMMU should always be set to default translated type after > the PMRs are disabled to protect the MLE from DMA. > > Signed-off-by: Ross Philipson > --- > drivers/iommu/intel/iommu.c | 5 +++++ > drivers/iommu/iommu.c | 6 +++++- > 2 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c > index be35284..4f0256d 100644 > --- a/drivers/iommu/intel/iommu.c > +++ b/drivers/iommu/intel/iommu.c > @@ -41,6 +41,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -2877,6 +2878,10 @@ static bool device_is_rmrr_locked(struct device *dev) > */ > static int device_def_domain_type(struct device *dev) > { > + /* Do not allow identity domain when Secure Launch is configured */ > + if (slaunch_get_flags() & SL_FLAG_ACTIVE) > + return IOMMU_DOMAIN_DMA; Is this specific to Intel? It seems like it could easily be done commonly like the check for untrusted external devices. > + > if (dev_is_pci(dev)) { > struct pci_dev *pdev = to_pci_dev(dev); > > diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c > index 808ab70d..d49b7dd 100644 > --- a/drivers/iommu/iommu.c > +++ b/drivers/iommu/iommu.c > @@ -23,6 +23,7 @@ > #include > #include > #include > +#include > #include > > static struct kset *iommu_group_kset; > @@ -2761,7 +2762,10 @@ void iommu_set_default_passthrough(bool cmd_line) > { > if (cmd_line) > iommu_cmd_line |= IOMMU_CMD_LINE_DMA_API; > - iommu_def_domain_type = IOMMU_DOMAIN_IDENTITY; > + > + /* Do not allow identity domain when Secure Launch is configured */ > + if (!(slaunch_get_flags() & SL_FLAG_ACTIVE)) > + iommu_def_domain_type = IOMMU_DOMAIN_IDENTITY; Quietly ignoring the setting and possibly leaving iommu_def_domain_type uninitialised (note that 0 is not actually a usable type) doesn't seem great. AFAICS this probably warrants similar treatment to the mem_encrypt_active() case - there doesn't seem a great deal of value in trying to save users from themselves if they care about measured boot yet explicitly pass options which may compromise measured boot. If you really want to go down that route there's at least the sysfs interface you'd need to nobble as well, not to mention the various ways of completely disabling IOMMUs... It might be reasonable to make IOMMU_DEFAULT_PASSTHROUGH depend on !SECURE_LAUNCH for clarity though. Robin. > } > > void iommu_set_default_translated(bool cmd_line) >