Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp991985pxp; Wed, 16 Mar 2022 23:44:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnaMg7yNtdmqR0wy1AMxhBWTQLQeljjwcuqt7BRQkVCuLsW8hjIpyUa7NdlWqiDoe0cIbk X-Received: by 2002:a63:f315:0:b0:376:2310:ffed with SMTP id l21-20020a63f315000000b003762310ffedmr2490721pgh.23.1647499447716; Wed, 16 Mar 2022 23:44:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647499447; cv=none; d=google.com; s=arc-20160816; b=jq912PjPlOF0JPCv1ILDKSyvZhtcfzNul3a45I5+xOKwTP/ODAWWYSp2a4XG9sERZq NQWDVduEA4uggkwogGx4ZAAPUmJKojE5sk9cEzfc9aiN7gIWrGQkQ7uJFlqWq84sA4+h LKsDNVJtj8kxv432dsjXhGLlJB1DmbJQddMvRW9Gih35y0gfhHRL5GiKHeB5xdZX6lmk IwL7x0ZaqKTt2JNxwe/JXyFsmpnmc+56DImDuS3AiQlg0NZ3fJuomksD3pa/1f0mqqec lLbsVcFNOEleIqPZuCsLL30cim7PfxROph15uMG7+VqclaJe1jWpe2cpfhFciYqOpCLR 82AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=Gw6ed9r1y+rVM4z3NAx/EKzwiUYROgDHB/Io5bizz2A=; b=mOKhbhryENFzt/0N7HmMiERVAx70ZaH3GuRpxWl3gfxPEFSVn1hKLGQf953sBkXQH6 2v2dRdw1wSDcIiLwq2RV5axw6j4UbcgD4yN0wjhkw9qv2mTgScLTqb7dcNBclf86zuq0 oKDZ6xLgFVYm1FCrOLxfIuXUR2sCTU/YeAk2Cb2Ym7b1y35Ni5pQqgsuPU4iiXSVsTph 9iaLsgynQVoyzH98eyUnbaURSDyQCVkg7TAxCCPzE69PkLvCd7NsxpWbbKwNtpcZ7hHu hfx9hZB0BDcZTwQs4QM35ySVbgm8olEosAXAMfucWyNujVrPFBEuQQuY+YKxIJERICsj QYOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id b4-20020a170903228400b00151f12d9739si4388773plh.96.2022.03.16.23.44.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 23:44:07 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 86CCA2D25B5; Wed, 16 Mar 2022 22:28:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355905AbiCPRuo (ORCPT + 99 others); Wed, 16 Mar 2022 13:50:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236996AbiCPRum (ORCPT ); Wed, 16 Mar 2022 13:50:42 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AD3F86AA6E; Wed, 16 Mar 2022 10:49:27 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 687391476; Wed, 16 Mar 2022 10:49:27 -0700 (PDT) Received: from [10.57.42.204] (unknown [10.57.42.204]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0E1AE3F66F; Wed, 16 Mar 2022 10:49:25 -0700 (PDT) Message-ID: <3bb6a2f8-005b-587a-7d7a-7a9a5391ec05@arm.com> Date: Wed, 16 Mar 2022 17:49:21 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.6.2 Subject: Re: [PATCH] thunderbolt: Stop using iommu_present() Content-Language: en-GB To: Mika Westerberg , "Limonciello, Mario" Cc: "michael.jamet@intel.com" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "YehezkelShB@gmail.com" , "iommu@lists.linux-foundation.org" , "andreas.noever@gmail.com" , "hch@lst.de" References: <16852eb2-98bb-6337-741f-8c2f06418b08@arm.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-03-16 17:37, Mika Westerberg wrote: > Hi Mario, > > On Wed, Mar 16, 2022 at 05:24:38PM +0000, Limonciello, Mario wrote: >> [Public] >> >>> On Wed, Mar 16, 2022 at 02:49:09PM +0000, Robin Murphy wrote: >>>>> What we want is to make sure the Tunneled PCIe ports get the full >>> IOMMU >>>>> protection. In case of the discrete above it is also fine if all the >>>>> devices behind the PCIe root port get the full IOMMU protection. Note in >>>>> the integrated all the devices are "siblings". >>>> >>>> Ah, OK, I wasn't aware that the NHI isn't even the right thing in the first >>>> place :( >>>> >>>> Is there an easy way to get from the struct tb to a PCI device representing >>>> the end of its relevant tunnel, or do we have a circular dependency >>> problem >>>> where the latter won't appear until we've authorised it (and thus the >>> IOMMU >>>> layer won't know about it yet either)? >>> >>> The PCIe root ports (and the PCIe downstream ports) are there already >>> even without "authorization". >>> >>> There is a way to figure out the "tunneled" PCIe ports by looking at >>> certain properties and we do that already actually. The BIOS has the >>> following under these ports: >>> >>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs >>> .microsoft.com%2Fen-us%2Fwindows-hardware%2Fdrivers%2Fpci%2Fdsd- >>> for-pcie-root-ports%23identifying-externally-exposed-pcie-root- >>> ports&data=04%7C01%7Cmario.limonciello%40amd.com%7C0465d319a >>> 6684335d9c208da07710e7c%7C3dd8961fe4884e608e11a82d994e183d%7C0%7 >>> C0%7C637830479402895833%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w >>> LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&am >>> p;sdata=z6hpYGpj%2B%2BVvz9d6MXiO4N66PUm4zwhOdI%2Br6l3PjhQ%3D >>> &reserved=0 >>> >>> and the ports will have dev->external_facing set to 1. Perhaps looking >>> at that field helps here? >> >> External facing isn't a guarantee from the firmware though. It's something we >> all expect in practice, but I think it's better to look at the ones that are from >> the _DSD usb4-host-interface to be safer. > > Right but then we have the discrete ones with the DVSEC that exposes the > tunneled ports :( > >> Mika, you might not have seen it yet, but I sent a follow up diff in this thread >> to Robin's patch. If that looks good Robin can submit a v2 (or I'm happy to do >> so as well as I confirmed it helps my original intent too). > > I saw it now and I'm thinking are we making this unnecessary complex? I > mean Microsoft solely depends on the DMAR platform opt-in flag: > > https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt > > We also do turn on full IOMMU mappings in that case for devices that are > marked as external facing by the same firmware that provided the DMAR > bit. If the user decides to disable IOMMU from command line for instance > then we expect she knows what she is doing. Yeah, if external_facing is set correctly then we can safely expect the the IOMMU layer to do the right thing, so in that case it probably is OK to infer that if an IOMMU is present for the NHI then it'll be managing that whole bus hierarchy. What I'm really thinking about here is whether we can defend against a case when external_facing *isn't* set, so we treat the tunnelled ports as normal PCI buses, assume it's OK since we've got an IOMMU and everything else is getting translation domains by default, but then a Thunderbolt device shows up masquerading the VID:DID of something that gets a passthrough quirk, and thus tricks its way through the perceived protection. Robin.