Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 427C0C05027 for ; Thu, 2 Feb 2023 20:45:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233115AbjBBUpj (ORCPT ); Thu, 2 Feb 2023 15:45:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42260 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233077AbjBBUpK (ORCPT ); Thu, 2 Feb 2023 15:45:10 -0500 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2072.outbound.protection.outlook.com [40.107.100.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E52BF44A2; Thu, 2 Feb 2023 12:45:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fFYICSOnbs0PQ4h6IQLnXyey4BfOAfJ6YlYMDYJZtfLbQTzdK/R9kk70WHpZTCS8WWyui6NtmzMHDpbXRdGRoTrXF52N4fNVaviszbfXE4asYbPIolicy/5kCZgC8JGZKld5MEIVmqEnyZbHTbWPm5qEOyQCcz4ZffFCG8Fp506k5OZswxWol8jp7r9AiDkYFCkBlCQc6A4U19bNb2quxStlF+UBBVVxiwvxBU0UVHI7TS44sDJX/4EJQFX5o2+LoLqfazM5sOXFIcxYVJcAMZCZvCtouyrmEWp0o54MAHQBfEWGMBnV6YrR2qkUfNCxNTsdyeFaLqNgyIQ1G1J10g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sc/EkkgzaTbVSegKJWR0go/aHsDna1tV7OAYzPGrfqA=; b=Os0h6EgSbsBEZUedVdUjchpkV2sQLoig71utd1jiHVhh7c8SWUpx2BAj8jV9Uw10mNP96ii49zyZC4Yis1y2PnIakm5SloNvhi5K3wct8WoiFrppmI7myvjsk0scpHaJ1J1vbYKiBH57e+ROlAun8o8hZQM6wa44m0175Rb4SN+Dkn4rRWuQrHUZjT5o7XxxingO+Q/2a9n1Ddph0mMr1R6CM/LygtBRRBxEb9tQqAOUimOvtjO0BWPpSsRHwXzQbR3f1R2UzwyewkZwL0p0yNPAajRCiRz5W0h/HhOwf9SwDQ+b1sJrbDZBC7Yi6nySLs6bHOi8Oz+y8Zcc7QtYUw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sc/EkkgzaTbVSegKJWR0go/aHsDna1tV7OAYzPGrfqA=; b=sRJ/lLu+fqm+hDN02YnWLTaHKpecdEyn32hepBODxH1LvuJHFCarKqh8xiBi5i0zMSotMApp+OK/xLSdk58EpujJbRE1cSN06laLx4+Q2wFwdplPFuyw9kI1gTe7OEn38yzxUPt7ShjoTXExJKHoZRMITvK0RWVgdZTH2+f3j695DW7EUh9xH5LYdMvSfcB65rR8y+gBNE3tPPu+E98X8bCi1pQyvHzj4Hbkx09uThp4ZazjwRoHJ6pW+ClcA34EpFvdTBYvIp/wcihjpy/S4LNsGcgO/gKLJ3L6epsFGCHWgCtZ1H+HwW+vuL6VoeiJ+zSla7iIUrsOmywEkP9/sg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; Received: from LV2PR12MB5869.namprd12.prod.outlook.com (2603:10b6:408:176::16) by DS7PR12MB6008.namprd12.prod.outlook.com (2603:10b6:8:7f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.36; Thu, 2 Feb 2023 20:45:07 +0000 Received: from LV2PR12MB5869.namprd12.prod.outlook.com ([fe80::3cb3:2fce:5c8f:82ee]) by LV2PR12MB5869.namprd12.prod.outlook.com ([fe80::3cb3:2fce:5c8f:82ee%4]) with mapi id 15.20.6043.038; Thu, 2 Feb 2023 20:45:06 +0000 Date: Thu, 2 Feb 2023 16:45:05 -0400 From: Jason Gunthorpe To: Bjorn Helgaas Cc: Baolu Lu , Bjorn Helgaas , Joerg Roedel , Matt Fagnani , Christian =?utf-8?B?S8O2bmln?= , Kevin Tian , Vasant Hegde , Tony Zhu , linux-pci@vger.kernel.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 1/1] PCI: Add translated request only flag for pci_enable_pasid() Message-ID: References: <20230202201249.GA1963053@bhelgaas> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230202201249.GA1963053@bhelgaas> X-ClientProxiedBy: BL0PR01CA0017.prod.exchangelabs.com (2603:10b6:208:71::30) To LV2PR12MB5869.namprd12.prod.outlook.com (2603:10b6:408:176::16) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: LV2PR12MB5869:EE_|DS7PR12MB6008:EE_ X-MS-Office365-Filtering-Correlation-Id: 2dcb0ae0-6456-42b2-346a-08db055e5e0b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kPbdDFrWeRLt2Ls/j7Yt0x5WH9XMK+4f1TYNdu94TIt++JCG23hlkonadHeahgCXPkq9rJJpOgT59w5V8JhLmrVQZG37lD273BNSBnTEi2JAZAxkW22VfitPBkSC9GxA88CKnKh726SQTr90CPF0YVzn8Nh7a2ecCEUvl9dstqtRDE1vLeHl9m9LgpxqfTyXmA+w7W6wGyTbiH9Kqg2vkBo/6lISNl0wiYdpvQg/rixI2bCwxlvR3WGxznodsMQODPGxKCiZHhJ3bH4XfaoQrndSk1gS7JVYbYN113Z8nlLEQ8ACm5W3LgzX3D5b6kamCGBpcaujKWth3LEM3slm70FfonDcGb2h2rx7BNaiQg26hkUT2jd6H4DbaC/EJsTNd+3zuoSwZRVnGEp14IF9uN067aeQKl5zsQvjvg3XNkk9tiRYjcMnyAT/FVv4Mps1OCgrEzNUje/csrgXqILjhd7TWszJnjnOa+Xbq0mKc9rKM+WucrvRG/sH0xFLqm25quoe2R9antbR6/gVxkfNh9+gJVOFpSs9ws/ztzUm2gTaOvfGQVycoW78mRs1NTcEfHYl0ST/0oPWosmoZXGsIRsxxit8jwXq3dZu3200mxX9P+8o+hmRjqbN6chCatipI0RQHOh2VDBmw5U251apPJKceisRkw0NcrVm5XjwJ4kq6CX25KQ7IYPrIXTgkU5/pBGBSIqMF5DixH1/sc9m3ZeScniJNR+utUVhWs6TSyc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV2PR12MB5869.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(346002)(39860400002)(136003)(366004)(396003)(376002)(451199018)(966005)(2906002)(186003)(36756003)(6512007)(54906003)(26005)(316002)(2616005)(66946007)(6506007)(66556008)(66476007)(478600001)(86362001)(4326008)(5660300002)(6916009)(41300700001)(8936002)(6486002)(8676002)(38100700002)(83380400001)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?nQ32V47ARvPgWnRGknLAGWNHs7PZn8y04q9UmhKezspY4DRiMgGSWYGTNpw3?= =?us-ascii?Q?8T+Z4LhrijgHLqNSi50e60qKsQkgZM2gy/+zKRJFFEU99edozNs5oEvEdMuT?= =?us-ascii?Q?6ULmquSfNiO5lVE5neQrdq52HkXi7/VkmZyestVXl7E4wrNIW0+6oNd7A150?= =?us-ascii?Q?SZRuFd4MKUG6AZMXt/HA5HPwc0jrOyIxERaOdPK7H820Zij0wOCIlepeh6G8?= =?us-ascii?Q?P5Nra/Ye8UM55fcG+xQBTIqppYtrFFNTvJMEZ958hLzFvMqsGdzLq6FyD55B?= =?us-ascii?Q?PtmiZ1j3I3VntF4zwg2iWRGwnpVndOPReUf455Fdo5fRsc33rALVZ4p1Huft?= =?us-ascii?Q?qwmOdAmpFQpAmJNlr5/uRr30+1Wpa+gaaToVNwOqHQ0Fn0xZg2ANyFmRWNG9?= =?us-ascii?Q?VzfmXWv8IasI9R4IKayB71ZBC1SvcBWz44O3+QO73IbfwSOwsUxucDzSDYhi?= =?us-ascii?Q?Rao0ZQcb6zUmEcJr+HcMTJ+Kcizqy2OG/MHcFZp2WOEIPtj1x2nG9keltNGX?= =?us-ascii?Q?v7okEnEbufcx8UcJ287GeJ6U/M5jtEXZHqnoJjvjv0IPdYU609IqJkIL7Pld?= =?us-ascii?Q?JWlMVdcas6Sk5+FC3WNng2ROML5Wb4cB9sRQjpcRHiOpbIqkxXDSyjqtvrcd?= =?us-ascii?Q?0I37QV0fHDjUa4tbY6Rd3V7fqld7xW1CB0dXOHerumMDU85ksNA/ZsX69rsX?= =?us-ascii?Q?x1Y6Nw26Xb9o3afMELn51fUFaWiYFsLyOqAnlSKXq9i3FFOH2hP1askGulOQ?= =?us-ascii?Q?Co2oT4I4NwYguvUuxQe69QHDQm8EhJbmYHHf9YoXmkeIIqjXIb4WB2fIRz0n?= =?us-ascii?Q?NThb7e/liELazLqLT39PDfx0NamRplN99T8jLRTof5t1NmgdRjL73RmPPzpH?= =?us-ascii?Q?21JqSEI9k1cRFoMyJ/WCGCxLpg/Fe1PfuQQVxjbwCoBvhUVHWPa8kVAHQkrr?= =?us-ascii?Q?iJk4uLBKbU6AF9iKOdGnlZkbb9VpeIUoMAjTbjnbsN/vWX5k0GOqRKQIGbwt?= =?us-ascii?Q?O99VBg4NXok2qhqCi2znO5AdjflNQVxqMEcnOQhaHoHCZU1cQ6ajqgYKOw5o?= =?us-ascii?Q?In+Fh6l8Sx7IT+FLodm90Mmayg4fGO2Pysnw52yWvlR8hSJEBVI8gSaC4WjV?= =?us-ascii?Q?UVs2WzjVbTXevSoJIQHQzyRtbHNsPKTjuzdWpf+Ga3zkkMRilu24vJORQvjW?= =?us-ascii?Q?NkJwxCzKSX8cbdlycmyMFNKXu0bizS4ouPdBsEdd9yziidCTgrPW6P5I/YLF?= =?us-ascii?Q?iomhhWP7SJxVOsQ2B+YHe3FTeoeiYNPFY/XlH0TYc3g/RtVkT1jlTn5iJD5b?= =?us-ascii?Q?8RARvo8UqeUq46jSAfIhnaK6uj/2dSYnZL5AutDX2NROooWp5SvfEjHa3ZQt?= =?us-ascii?Q?kjN7VKns87Z2PjGulXBZ1U0jd8LlDRGZFykllHhW3wtu6gFdkoQU2X4Vp4Ak?= =?us-ascii?Q?VuOwGyrOrdXyDCBeTRqtWmOP1nwdATKPx7HPXA+AxEVJ78OowpmCuRwymNCr?= =?us-ascii?Q?HPWkhz4MPb5STdDG0x8yc8F86hTiA22sYtrK7GDFDa70gTaAQgVsJmKJ4uMJ?= =?us-ascii?Q?2EmnEtJEmpOLtiFrdbN2M/byOw4slMesZ9wquak2?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2dcb0ae0-6456-42b2-346a-08db055e5e0b X-MS-Exchange-CrossTenant-AuthSource: LV2PR12MB5869.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Feb 2023 20:45:06.7632 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: sablJoe/ahA3dZ79L3wTYaT+dlra+BJua4KQMZXhir9Ikh44NWaMl4wkWyxlM/ol X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB6008 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 02, 2023 at 02:12:49PM -0600, Bjorn Helgaas wrote: > [Joerg, you may be able to answer this. Patch under discussion is: > https://lore.kernel.org/r/20230114073420.759989-1-baolu.lu@linux.intel.com] > > On Thu, Feb 02, 2023 at 11:08:25AM +0800, Baolu Lu wrote: > > ... > > > ACS is unnecessary for the devices that only use translated memory request > > for PASID. All translated addresses are granted by the Linux kernel which > > ensures that such addresses will never be in a P2P address, i.e., it's not > > contained in any bridge aperture, will *always* be routed toward the RC. > > Re 201007ef707a ("PCI: Enable PASID only when ACS RR & UF enabled on > upstream path"), does that commit actually *fix* anything? I wonder > whether we could revert it completely. > > The intent of 201007ef707a is to use ACS to prevent misrouting, which > would happen if a TLP contained an address that *looked* like a PCI > bus address, i.e., it was inside a host bridge aperture, but was > *intended* to reach an IOMMU or main memory directly. Yes. > 201007ef707a only affects pci_enable_pasid(), so I think we already > avoid this misrouting by restricting DMA address allocation for both > non-IOMMU scenarios and non-PASID IOMMU scenarios. There is no restriction on DMA address allocation with PASID. The typical PASID use case is to point the PASID at the CPU page table and then all VA's are fair game by userspace. There is no carve out like the DMA API has to protect from bus address confusion. > So what about PASID mappings, e.g., consider a mapping of (Requester > ID, PASID, Untranslated Address) -> Translated Address? If either the > Untranslated Address or the Translated Address looks like a PCI bus > address, a Memory Request or Translation Request could be misrouted. The PCI rules are a bit complicated: - A simple MemRd/Wr with a PASID will be routed according to the address. This can be mis-routed - A ATS translation request with a PASID is always routed to the host bridge - A MemRd/Wr with Translated set and no PASID is always routed to the correct destination, even if that is not the host bridge > Do IOMMUs allocate (PASID, Untranslated Addresses) that look like PCI > bus addresses? Yes, because it is mapped to a mm_struct userspace can use any mmap to access any valid address as an IOVA and thus PASID tagged translation must never become confused with bus addresses. Further, and worse, the common use model for PASID SVA is for userspace to directly submit IOVA to the device for operation. If userspace can submit a hostile IOVA and cause DMA to reach something that is not the host bridge then system security is completely wrecked. So, as an API in Linux we felt it was best to only enable PASID if PASID is secure and truely isolated, otherwise leave PASID off. The use cases for insecure PASID seem small. Jason