Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7205129rwb; Wed, 23 Nov 2022 03:43:09 -0800 (PST) X-Google-Smtp-Source: AA0mqf7hql08uLcBXuITkIcC+NP+lE2SKj2r/aMqrsI7UrHX57Jr+FHUuOdauBuaUk8FXiBtE3SY X-Received: by 2002:a62:e717:0:b0:572:df9e:d57d with SMTP id s23-20020a62e717000000b00572df9ed57dmr30797575pfh.10.1669203789739; Wed, 23 Nov 2022 03:43:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669203789; cv=none; d=google.com; s=arc-20160816; b=0BKpEnQcy0qVdlIuT7H/b7yD9BkPtY2ClVrdb76Z00IQizv4DeqRK3heVWc5sLcTCG heQ+shlCVpzO64y30o4VoF+aLnWSuMYULtbcNHdhxV1CEXhmj9466Lk91ETagSTiSNlQ kvL6ORamnoe259Df7YIqQmbTJjDvx2bIinrdPAeE/t98x8xOQXwNmJpzitzkks626/DB NZAVAgZnYfQcg5tb+9q2V3qC7mheihYwEqndFnogWJbf3n77TLyH7iAYSb7VrDLzBcMy Qq1wngWW3DJK66ARgjbyixzjPKXCJI2ahXCKln9m24M79+KG6Hq3zaX2vcsmVH88F/2U sgUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=2GMbnt+s/ZM7Ip3H1I9q2krAqdwxE1MThqbg60yT8Lg=; b=OS+vfh0IUKtb8AGBPDH5tGt/EsT7HeFr+IX0xFoBFAcHc8LqX6mJw0UyNpG6vM2juG GZcOUWG/AYybJfjKwpvPx3N4k7i3oOxiDv0u2sV8lPGI/fCml+jI4SgOjnm1KCvAo+J6 YMglhvVXHFxLNNeP8WoKc/L1ur3Ytdx/rFB4NWw/jQBIGemepYR6RJ3iVZNt3nVV96Gh sLyMZY2fkqtB747FWkDqCkTXpG6VbZsNTliDUxEEOxuHalYe4959fxY3Vvsc3oByBBnd 8urJA9Vcu0b7hgLI1yJwuBQDGpiYPSSutcNVbarB4l1fx93LV/EwsmW7///P9Diqtnyh zKyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i18-20020a170902e49200b0018925fc232esi5742066ple.191.2022.11.23.03.42.58; Wed, 23 Nov 2022 03:43:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236697AbiKWLc6 (ORCPT + 90 others); Wed, 23 Nov 2022 06:32:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236693AbiKWLcy (ORCPT ); Wed, 23 Nov 2022 06:32:54 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E433E18B02 for ; Wed, 23 Nov 2022 03:32:52 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 283101FB; Wed, 23 Nov 2022 03:32:59 -0800 (PST) Received: from [10.57.71.118] (unknown [10.57.71.118]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 067823F587; Wed, 23 Nov 2022 03:32:50 -0800 (PST) Message-ID: <53678e27-1bbc-a7e8-a1b0-0427fc0e5b62@arm.com> Date: Wed, 23 Nov 2022 11:32:44 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: [PATCH] iommu/vt-d: Add a fix for devices need extra dtlb flush Content-Language: en-GB To: "Tian, Kevin" , Baolu Lu , Jacob Pan , LKML , "iommu@lists.linux.dev" , Joerg Roedel Cc: Will Deacon , David Woodhouse , "Raj, Ashok" , "Liu, Yi L" , "Luo, Yuzhang" References: <20221122034529.3311562-1-jacob.jun.pan@linux.intel.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-11-23 05:18, Tian, Kevin wrote: >> From: Baolu Lu >> Sent: Wednesday, November 23, 2022 1:04 PM >> >> On 2022/11/23 9:02, Tian, Kevin wrote: >>>> From: Robin Murphy >>>> Sent: Wednesday, November 23, 2022 1:49 AM >>>> >>>>> + >>>>> +/* Impacted QAT device IDs ranging from 0x4940 to 0x4943 */ >>>>> +#define BUGGY_QAT_DEVID_MASK 0x494c >>>>> +static bool dev_needs_extra_dtlb_flush(struct pci_dev *pdev) >>>>> +{ >>>>> + if (pdev->vendor != PCI_VENDOR_ID_INTEL) >>>>> + return false; >>>>> + >>>>> + if ((pdev->device & 0xfffc) != BUGGY_QAT_DEVID_MASK) >>>>> + return false; >>>>> + >>>>> + if (risky_device(pdev)) >>>>> + return false; >>>> >>>> Hmm, I'm not sure that that makes much sense to me - what privilege can >>>> the device gain from being told to invalidate things twice? Why would we >>>> want to implicitly *allow* a device to potentially keep using a stale >>>> translation if for some bizarre reason firmware has marked it as >>>> external, surely that's worse? >> >> From the perspective of IOMMU, any quirk is only applicable to trusted >> devices. If the IOMMU driver detects that a quirk is being applied to an >> untrusted device, it is already buggy or malicious. The IOMMU driver >> should let the users know by: >> >> pci_info(pdev, >> "Skipping IOMMU quirk for dev [%04X:%04X] on untrusted >> PCI link\n", >> pdev->vendor, pdev->device); >> pci_info(pdev, "Please check with your BIOS/Platform vendor about >> this\n"); >> >> and stop applying any quirk. >> > > A quirk usually relaxes something then you want it only on trusted devices. > > but the quirk in this patch is trying to fix a vulnerability. In concept it's > weird to skip it on untrusted devices. This iiuc was the part causing confusion > to Robin. Right, it's that reasoning in general that seems bogus to me. Clearly any quirk that effectively grants additional privileges, like an identity mapping quirk, should not be applied to untrusted external devices which may be spoofing an affected VID/DID to gain that privilege, but not all quirks imply privilege. If, say, a WiFI controller needs something innocuous like a DMA alias or address width quirk to function correctly, it will still need that regardless of whether it's soldered to a motherboard or to a removable expansion card, and it would do nobody any good to deny correct functionality based on that unnecessary distinction. Yes, I appreciate that in practice many of those kind of quirks will be applied in other layers anyway, but I still think it's wrong to make a sweeping assumption that all IOMMU-level quirks are precious treasure not to be shared with outsiders, rather than assess their impact individually. The detriment in this case is small (just needless code churn), but even that's still not nothing. Thanks, Robin.