Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp909413pxp; Wed, 16 Mar 2022 20:58:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx1D+vLEvJ74A3ZVGVHa+TqXwWQ7l4g9aiRL0c+C4YG3cdy3EDZgCbY/pUhC5MlDFSOTiDS X-Received: by 2002:a17:903:110c:b0:14a:f110:84e1 with SMTP id n12-20020a170903110c00b0014af11084e1mr3035604plh.7.1647489520454; Wed, 16 Mar 2022 20:58:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647489520; cv=none; d=google.com; s=arc-20160816; b=W3aKdXYbNpDDLJLue+ReE7LAmOiNF/l33OKmQM8zICU+Z3SUI1O9+OO9S/A3uPCBR2 sJ4QFNNEaKLfdu4J1qfDJKOOQ7UCBdmgzTqtajrC8SmyPMySe2JfAN9XKzNbyPdXgKw2 x6bk1zSM5drdg/hZWKC9lXJAiAjy94Fq//LkXCbhjj4fxONPvwIkcqWhupFqDWy8aude yF8rAWwUsZ2bFboOO3Nny1fJrWA5N1tQOfRPz1jC2t+WvZD3ySUG6ABZbwpmXY5J49l2 MzhoFm8Qd85yJ1Fs0tOQzeYJQAJsiEsOXgGCRUgAkUDqU1DF+wHpbHVNjE3dzYfrptmK gDiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=2EeJg9XHg42PNIbzZiEEF+TYWv/cZI2XWYltVVecclM=; b=QXHhrdfhkY4LzY2rWu8ulavT9+XTsTjEP7Haw/SwCTmpcfqe1CsVCTPmiTTVQBTDxe BWxn7Ns2sW+QDirrBeXP+ef+1co/IE02v/raSoAuoQ0Tzpepx0uA2rSXdU7znS60Ssa4 z5tSObs3q9hLvyNcPSsaL+qzssWPGYOatZaFrS8EkNlf+rAMbQgMbrSc6h+OvsxH4ETP 0H9wV4AgaUUGfvJ4xgGrk++jLy9CUuSKP3aUnjxhaNaxey1pOnIwfuo7qBseUiEgQ1B/ Afo5w5QeS/PjiFvNZHdq3MXQgvrJHACKRhuXJYAdLDxIxwAiRkB/YDPxSGZNb9bEXpHa RpXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v8-20020a17090331c800b001538b03ac21si3292272ple.210.2022.03.16.20.58.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 20:58:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4B31489CF5; Wed, 16 Mar 2022 20:43:10 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347590AbiCPTTV (ORCPT + 99 others); Wed, 16 Mar 2022 15:19:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239247AbiCPTTS (ORCPT ); Wed, 16 Mar 2022 15:19:18 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E535C1D0DB; Wed, 16 Mar 2022 12:18:03 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A9BB11476; Wed, 16 Mar 2022 12:18:03 -0700 (PDT) Received: from [10.57.42.204] (unknown [10.57.42.204]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 46CE03F7F5; Wed, 16 Mar 2022 12:18:02 -0700 (PDT) Message-ID: <0709e994-1c8b-56fe-7743-8fdbf3ba748b@arm.com> Date: Wed, 16 Mar 2022 19:17:57 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.6.2 Subject: Re: [PATCH] thunderbolt: Stop using iommu_present() Content-Language: en-GB To: "Limonciello, Mario" , Mika Westerberg Cc: "michael.jamet@intel.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "YehezkelShB@gmail.com" , "iommu@lists.linux-foundation.org" , "andreas.noever@gmail.com" , "hch@lst.de" References: <16852eb2-98bb-6337-741f-8c2f06418b08@arm.com> <3bb6a2f8-005b-587a-7d7a-7a9a5391ec05@arm.com> <5ef1c30a-1740-00cc-ad16-4b1c1b02fca4@arm.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-03-16 18:34, Limonciello, Mario wrote: > [Public] > >>> Can the USB4 CM make the device links in the DVSEC case perhaps too? I >> would >>> think we want that anyway to control device suspend ordering. >>> >>> If I had something discrete to try I'd dust off the DVSEC patch I wrote >> before to >>> try it, but alas all I have is integrated stuff on my hand. >>> >>>>>> Mika, you might not have seen it yet, but I sent a follow up diff in this >>>> thread >>>>>> to Robin's patch. If that looks good Robin can submit a v2 (or I'm happy >> to >>>> do >>>>>> so as well as I confirmed it helps my original intent too). >>>>> >>>>> I saw it now and I'm thinking are we making this unnecessary complex? I >>>>> mean Microsoft solely depends on the DMAR platform opt-in flag: >>>>> >>>>> >>>> >>> >>> I think Microsoft doesn't allow you to turn off the IOMMU though or put it >> in >>> passthrough through on the kernel command line. >>> >>>>> We also do turn on full IOMMU mappings in that case for devices that >> are >>>>> marked as external facing by the same firmware that provided the >> DMAR >>>>> bit. If the user decides to disable IOMMU from command line for >> instance >>>>> then we expect she knows what she is doing. >>>> >>>> Yeah, if external_facing is set correctly then we can safely expect the >>>> the IOMMU layer to do the right thing, so in that case it probably is OK >>>> to infer that if an IOMMU is present for the NHI then it'll be managing >>>> that whole bus hierarchy. What I'm really thinking about here is whether >>>> we can defend against a case when external_facing *isn't* set, so we >>>> treat the tunnelled ports as normal PCI buses, assume it's OK since >>>> we've got an IOMMU and everything else is getting translation domains >> by >>>> default, but then a Thunderbolt device shows up masquerading the >> VID:DID >>>> of something that gets a passthrough quirk, and thus tricks its way >>>> through the perceived protection. >>>> >>>> Robin. >>> >>> Unless it happened after 5.17-rc8 looking at the code I think that's Intel >>> specific behavior though at the moment (has_external_pci). I don't see it >>> in a generic layer. >> >> Ah, it's not necessarily the most obvious thing - >> pci_dev->external_facing gets propagated through to pci_dev->untrusted >> by set_pcie_untrusted(), and it's that that's then checked by >> iommu_get_def_domain_type() to enforce a translation domain regardless >> of default passthrough or quirks. It's then further checked by >> iommu-dma's dev_is_untrusted() to enforce bounce-buffering to avoid data >> leakage in sub-page mappings too. >> > > Ah thanks for explaining it, that was immediately obvious to me. > >>> In addition to the point Robin said about firmware not setting external >> facing >>> if the IOMMU was disabled on command line then iommu_dma_protection >>> would be showing the wrong values meaning userspace may choose to >>> authorize the device automatically in a potentially unsafe scenario. >>> >>> Even if the user "knew what they were doing", I would expect that we still >>> do our best to protect them from themselves and not advertise something >>> that will cause automatic authorization. >> >> Might it be reasonable for the Thunderbolt core to check early on if any >> tunnelled ports are not marked as external facing, and if so just tell >> the user that iommu_dma_protection is off the table and anything they >> authorise is at their own risk? >> >> Robin. > > How about in iommu_dma_protection_show to just check that all the device > links to the NHI are marked as untrusted? > > Then if there are device links missing we solve that separately (discrete USB4 > DVSEC case we just need to make those device links). The feeling I'm getting from all this is that if we've got as far as iommu_dma_protection_show() then it's really too late to meaningfully mitigate bad firmware. We should be able to detect missing untrusted/external-facing properties as early as nhi_probe(), and if we could go into "continue at your own risk" mode right then *before* anything else happens, it all becomes a lot easier to reason about. If there's a strong enough impetus from Microsoft for system vendors to get their firmware right, hopefully we can get away with not trying too hard to cope with systems that haven't. I'm inclined to send v2 of this patch effectively going back to my original (even simpler) cleanup, just now with much more reasoning about why it isn't doing more :) Cheers, Robin.