Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2146135pxb; Wed, 9 Feb 2022 11:50:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJx9Mm9sDjkw6wMW+Jiecxa90ts+mZQkHQOwMf47DHv2bCQZNyqRhytrgP01JkFGkWS8dcpT X-Received: by 2002:a17:902:7897:: with SMTP id q23mr3813731pll.67.1644436221122; Wed, 09 Feb 2022 11:50:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644436221; cv=none; d=google.com; s=arc-20160816; b=Ks/8+3OUUfINujtjYbvZSB3c46SmnuJ2FkqgB8M0H1U02TlhdhLmtupv7MfitW6uLP Gx5IKne9PHkzp0oycdDgnaeKI2jM8oeGXAAWxbiLtzHrK+Sc0Okupys4ojFTHyi7hJoO OGVtF2GSDX8BXfmXNncJB3awDndwzULyj6MrJ+guQNEA7iu86jP25M4ey9/s2Dmuos60 gJV3eE3D7uVjUGziujpY8J0RuxzKzgpRKzj2w26brq8ubmLFJl05EdZtDZnch+w+NDVW +XpY6NrTTMhl/KL2Qycudspwca5oAWU0beeAeqJL/ZJBwjsc8xJXnBQi1byUI+TSTtxM YMHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature; bh=Bj5mf2REviqGALDCtKYc764O6imJL3k9uSyY/UOQ2F0=; b=Ja6DMIZVkNkdHYa75NT5SqFerK9HwafqvJ9AdEIFaPMMI/PMxccweMMar1rrOwz+pV LPE5iyIqMseE2Swzj8oLs6QULXXpaFcGSysmbZ6EW0vMM5I3Gh4xF187fwN1WYdfxXdE iVycxTJmHfIcFLbXmOHttYSV5BJqSPjEoZeMaqENSzLoA3e2UrcADjF6DLS+ColBwMiN E8D3+VhSU695qdUIvCvRbIL6aKI4sj0mKz6lsVWtCK0h59OVqU4tfc/m5yVjzu0eOVyN TOBD+iGmRGv668m+y3NrprBkpgaflywgZ6EwmRKW/Pk8BxKFKb0Nwiv5FMkTRBtLCmEh TQKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WbAuiMsz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b10si18401428plg.339.2022.02.09.11.50.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 11:50:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=WbAuiMsz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DF438E039C4F; Wed, 9 Feb 2022 11:45:17 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240242AbiBISli (ORCPT + 99 others); Wed, 9 Feb 2022 13:41:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240208AbiBISk2 (ORCPT ); Wed, 9 Feb 2022 13:40:28 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0B5FC03E92D; Wed, 9 Feb 2022 10:39:50 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 96B70B82384; Wed, 9 Feb 2022 18:39:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DAC95C340E9; Wed, 9 Feb 2022 18:39:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644431988; bh=0CUNFDq1i8SMYF2bfSV/C/M1uogY/iqh5qhEyXLr8kA=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=WbAuiMszliganrStT1NXHJce/DBmAI7MzT/RPt+oRna9pXiYTF7iSZeJaYdsDBeLa sMZjj5vmEZxk3yK2BxCdcepZUY81d60UaqcXH9ugrfohUIenfY+I+s1Xw7WA1kA/Ll eyiH4ic7gvMwnJOPWIFwYFUBfHSiIcbmz/+YKbKuESfAqycz5AC+5aN68AwI9HVMxe CS5TMRGCJNym9zZb/pa1hJ0hin9dki1IRknwFSEFlKJpxC9Q6WoFnceGquuUHmZvog H+/ImzyTDVyrjjtfTZkuA+/hi6BvVVQ316V8d+ieXNxN94e4Bg8SHqGs6Us97/3nPl gygEKr7Cqum3Q== Date: Wed, 9 Feb 2022 12:39:45 -0600 From: Bjorn Helgaas To: Greg Kroah-Hartman Cc: Rajat Jain , Rob Herring , "Rafael J. Wysocki" , Len Brown , linux-pci@vger.kernel.org, devicetree@vger.kernel.org, Mika Westerberg , Bjorn Helgaas , ACPI Devel Maling List , Linux Kernel Mailing List , Rajat Jain , Dmitry Torokhov , Jesse Barnes , Jean-Philippe Brucker , Pavel Machek , Oliver O'Halloran , Joerg Roedel Subject: Re: [PATCH v2 1/2] PCI: Allow internal devices to be marked as untrusted Message-ID: <20220209183945.GA571585@bhelgaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 09, 2022 at 06:46:12AM +0100, Greg Kroah-Hartman wrote: > On Tue, Feb 08, 2022 at 04:23:27PM -0800, Rajat Jain wrote: > > On Tue, Feb 1, 2022 at 6:01 PM Rajat Jain wrote: > > > > > > Today the pci_dev->untrusted is set for any devices sitting downstream > > > an external facing port (determined via "ExternalFacingPort" or the > > > "external-facing" properties). > > > > > > However, currently there is no way for internal devices to be marked as > > > untrusted. > > > > > > There are use-cases though, where a platform would like to treat an > > > internal device as untrusted (perhaps because it runs untrusted firmware > > > or offers an attack surface by handling untrusted network data etc). > > > > > > Introduce a new "UntrustedDevice" property that can be used by the > > > firmware to mark any device as untrusted. > > > > Just to unite the threads (from > > https://www.spinics.net/lists/linux-pci/msg120221.html). I did reach > > out to Microsoft but they haven't acknowledged my email. I also pinged > > them again yesterday, but I suspect I may not be able to break the > > ice. So this patch may be ready to go in my opinion. > > > > I don't see any outstanding comments on this patch, but please let me > > know if you have any comments. > > > > > Signed-off-by: Rajat Jain > > > --- > > > v2: * Also use the same property for device tree based systems. > > > * Add documentation (next patch) > > > > > > drivers/pci/of.c | 2 ++ > > > drivers/pci/pci-acpi.c | 1 + > > > drivers/pci/pci.c | 9 +++++++++ > > > drivers/pci/pci.h | 2 ++ > > > 4 files changed, 14 insertions(+) > > > > > > diff --git a/drivers/pci/of.c b/drivers/pci/of.c > > > index cb2e8351c2cc..e8b804664b69 100644 > > > --- a/drivers/pci/of.c > > > +++ b/drivers/pci/of.c > > > @@ -24,6 +24,8 @@ void pci_set_of_node(struct pci_dev *dev) > > > dev->devfn); > > > if (dev->dev.of_node) > > > dev->dev.fwnode = &dev->dev.of_node->fwnode; > > > + > > > + pci_set_untrusted(dev); > > > } > > > > > > void pci_release_of_node(struct pci_dev *dev) > > > diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c > > > index a42dbf448860..2bffbd5c6114 100644 > > > --- a/drivers/pci/pci-acpi.c > > > +++ b/drivers/pci/pci-acpi.c > > > @@ -1356,6 +1356,7 @@ void pci_acpi_setup(struct device *dev, struct acpi_device *adev) > > > > > > pci_acpi_optimize_delay(pci_dev, adev->handle); > > > pci_acpi_set_external_facing(pci_dev); > > > + pci_set_untrusted(pci_dev); > > > pci_acpi_add_edr_notifier(pci_dev); > > > > > > pci_acpi_add_pm_notifier(adev, pci_dev); > > > diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c > > > index 9ecce435fb3f..41e887c27004 100644 > > > --- a/drivers/pci/pci.c > > > +++ b/drivers/pci/pci.c > > > @@ -6869,3 +6869,12 @@ static int __init pci_realloc_setup_params(void) > > > return 0; > > > } > > > pure_initcall(pci_realloc_setup_params); > > > + > > > +void pci_set_untrusted(struct pci_dev *pdev) > > > +{ > > > + u8 val; > > > + > > > + if (!device_property_read_u8(&pdev->dev, "UntrustedDevice", &val) If we do this, can we combine it with set_pcie_untrusted(), where we already set pdev->untrusted? Maybe that needs to be renamed; I don't see anything PCIe-specific there, and it looks like it works for conventional PCI as well. > Please no, "Untrusted" does not really convey much, if anything here. > You are taking an odd in-kernel-value and making it a user api. > > Where is this "trust" defined? Who defines it? What policy does the > kernel impose on it? I'm a bit hesitant about this, too. It really doesn't have anything in particular to do with the PCI core. It's not part of the PCI specs, and it could apply to any kind of device, not just PCI (ACPI, platform, USB, etc). We have: dev->removable # struct device pdev->is_thunderbolt pdev->untrusted pdev->external_facing and it feels a little hard to keep everything straight. Most of them are "discovered" based on some DT or ACPI firmware property. None of them really has anything specifically to do with *PCI*, and I don't think the PCI core depends on any of them. I think pdev->is_thunderbolt is the only one we discover based on a PCI feature (the Thunderbolt Capability), and the things we *use* it for are actually not things specified by that capability [1]. Could drivers just look for these properties directly instead of relying on the PCI core to get in the middle? Most callers of device_property_read_*() are in drivers. I do see that doing it in the PCI core might help enforce standard usage in DT/ACPI, but we could probably do that in other ways, too. Bjorn [1] https://lore.kernel.org/r/20220204222956.GA220908@bhelgaas