Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1279473lqd; Thu, 25 Apr 2024 10:31:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWWbnsH08fm21pEDJTiX2LWPJo2o8vGm2S4GCmVAfQUXFtSQcuMnhXc2i37LO77mvnddxDbeQ++Tp9D3hPL0Rt73ss+S2AU0LklekqDcQ== X-Google-Smtp-Source: AGHT+IG7eweUqA03zKFOyl2Y3w2bAfy4QYtRtfywRyNU4KF3IgBe3eZw+T24G4luP2hUTTvnf2ST X-Received: by 2002:ac2:46e9:0:b0:51b:3493:81ce with SMTP id q9-20020ac246e9000000b0051b349381cemr16770lfo.40.1714066318293; Thu, 25 Apr 2024 10:31:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714066318; cv=pass; d=google.com; s=arc-20160816; b=woPUIlOud0w4M0skhK/SBRB0ulctao4UtORfjQR9QV7QCJHhcH6IgDrHYHcqBlPBQb CSMLw3e4H5/ANWdsmr65xbNyfLb0GeGZvvV09qw5PYcS4a1U8Wlz478mln5osO32Tbvm yMoSsB0Cz9YSI3EKQ4bAPrMQDRnyuxB7B8fyGLVwqu0Tvd0c2Oss3kBUkShvqnfDR6uj dfVSB1GbefYepVZIfqimUBXtaX+8xvBBH4WTkmfg6SNv/OkHqyBTTDjhEYO5ii1J40xE bW0uW9dRGDqSV8opx9V1ck9tsETeowMR1RPvRyurBhWr0F5DOuufVBGlSFQFQaSwtRRf zE3A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:organization:references :in-reply-to:message-id:subject:cc:to:from:date; bh=4yo6xCAfvvnW9MBNssd4M2HgoC2dMmG3VTnxhTihsBA=; fh=eUFgDyrm9CeIHDgjHGcgkZXkkTjtoTgljjj+lVRE5iI=; b=JlecsFIrsfpH7XwDjkQBPh3GZQI0ciEYqwEa1fOcNUlAkTAo7zFP9QSdOghXRcrN8p V0TJq7QHB0f9VtKYlKd77LqDeXQTGAukA59KSBmLSIL2gJ2z8oV2AP8HDU+MSfMjFdB2 83VoLcvuBJ5GahPqBCL3/WqHaEUG27ohD1sYS95Dqk3qgemKZ7OoyhtgHHVdH6quYsVL siYBeOPH/9MZvn4xRIkzTUNrLUCM0WHu2SRCgnHkNN9IGP+8dl/nBu4jSzuxaZFaDz07 Dpo0zuK9DSrv/RQOVAfGEQeORJ0/iHhMt7dRvDCdcrwco73tQCq3na2PkgP4EGjqmRvx UAsw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-158972-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158972-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id p12-20020a170906a00c00b00a56cb2718d0si4734653ejy.260.2024.04.25.10.31.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 10:31:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-158972-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-158972-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158972-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id BC6151F25F2F for ; Thu, 25 Apr 2024 17:26:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AE2B614EC41; Thu, 25 Apr 2024 17:26:13 +0000 (UTC) Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56BA014B077; Thu, 25 Apr 2024 17:26:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714065973; cv=none; b=mYv8Rl7rlnniw1lt4LQSc3UOxGWZY9ulbvMUqeBdal2qyI4jIA0AdJNp9Z085aYQbdegnJLaD3gHoxrlJYzlMSFAE7yNzBwdy7EiDSLHeogU8kwv7CDDab8IzTzcgGzDW38ZH0YKtPOwweaXj/DuOZMqETjIaPEpcHGYCAwREqw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714065973; c=relaxed/simple; bh=3mQMCNkjITWlTa2ZzqZEImLGvvbd5agAGSP3TETx2I4=; h=Date:From:To:CC:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=jHw1+J3V6YdnHqa1ixi7DHC6wz/DEkC55nGAHpNFPXkHKo3hxiUHwIYFGV3xY7KmjxNwPWAJkpdbOfkTlZ0+WJ1LnNGq11W8lj2GYxTWZ89rd9GC16paSy+HFp/6uhiW42jnG1FlpxL2NJyqYA3DeY2G31qOBI5Rs4ft80atOjk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=Huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=Huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4VQN4H6QSvz67GVD; Fri, 26 Apr 2024 01:23:43 +0800 (CST) Received: from lhrpeml500005.china.huawei.com (unknown [7.191.163.240]) by mail.maildlp.com (Postfix) with ESMTPS id BC294140C98; Fri, 26 Apr 2024 01:26:06 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Thu, 25 Apr 2024 18:26:06 +0100 Date: Thu, 25 Apr 2024 18:26:05 +0100 From: Jonathan Cameron To: Dan Williams CC: , Sreenivas Bagalkote , Brett Henning , Harold Johnson , Sumanesh Samanta , , Davidlohr Bueso , "Dave Jiang" , Alison Schofield , Vishal Verma , "Ira Weiny" , , , Lorenzo Pieralisi , "Natu, Mahesh" , Subject: Re: RFC: Restricting userspace interfaces for CXL fabric management Message-ID: <20240425182605.00005f22@Huawei.com> In-Reply-To: <662a826dbeeff_b6e02943c@dwillia2-mobl3.amr.corp.intel.com.notmuch> References: <20240321174423.00007e0d@Huawei.com> <66109191f3d6d_2583ad29468@dwillia2-xfh.jf.intel.com.notmuch> <20240410124517.000075f2@Huawei.com> <66284d5e8ac01_690a29431@dwillia2-xfh.jf.intel.com.notmuch> <20240425123344.000001a9@Huawei.com> <662a826dbeeff_b6e02943c@dwillia2-mobl3.amr.corp.intel.com.notmuch> Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-ClientProxiedBy: lhrpeml100003.china.huawei.com (7.191.160.210) To lhrpeml500005.china.huawei.com (7.191.163.240) On Thu, 25 Apr 2024 09:18:53 -0700 Dan Williams wrote: > Jonathan Cameron wrote: > [..] > > > Also, the assertion that these kernels will be built with > > > CONFIG_SECURITY_LOCKDOWN_LSM=n and likely CONFIG_STRICT_DEVMEM=n, then > > > the entire user-mode driver ABI is available for use. CXL commands are > > > simple polled mmio, does Linux really benefit from carrying drivers in > > > the kernel that the kernel itself does not care about? > > > > Sure we could it in userspace... It's bad engineering, limits the design > > to polling only and uses a bunch of interfaces we put a lot of effort into > > telling people not to use except for debug. > > > > I really don't see the advantage in pushing a project/group of projects > > all of which are picking the upstream kernel up directly, to do a dirty > > hack. We loose all the advantages of a proper well maintained kernel > > driver purely on the argument that one use model is not the same as > > this one. Sensible security lockdown requirements is fine (along > > with all the other kernel features that must be disable for that > > to work), making open kernel development on for a large Linux > > market harder is not. > > The minimum requirement for justifying an in kernel driver is that > something else in the kernel consumes that facility. So, again, I want > to get back to specifics what else in the kernel is going to leverage > the Switch CCI mailbox? Why? I've never heard of such as a requirement and numerous drivers provide fairly direct access to hardware. Sometimes there is a subsystem aiding the data formatting etc, but fundamentally that's a convenience. Taking this to a silly level, on this basis all networking drivers would not be in the kernel. They are there mainly to provide userspace access to a network. Any of the hardware access subsystems such hwmon, input, IIO etc are primarily about providing a convenient way to get data to/from a device. They are kernel drivers because that is the cleaner path for data marshaling, interrupt handling etc. In kernel users are a perfectly valid reason to have a kernel driver, but it's far from the only one. None of the AI accelerators have in kernel users today (maybe they will in future). Sure there are other arguments that mean only a few such devices have been upstreamed, but it's not that they need in kernel users. If it's really an issue I'll just submit it to driver/misc and Greg can take a view on whether it's an acceptable device to have driver for... (after he's asked the obvious question of why aren't the CXL folk taking it!) +cc Greg to save providing info later. For background this is a PCI function with a mailbox used for switch configuration. The mailbox is identical to the one found on CXL type3 devices. Whole thing defined in the CXL spec. It gets a little complex because you can tunnel commands to devices connected to the switch, potentially affecting other hosts. Typical Linux device doing this would be a BMC, but there have been repeated questions about providing a subset of access to any Linux system (avoiding the foot guns) Whole thing fully discoverable - proposal is a standard PCI driver. > > The generic-Type-3-device mailbox has an in kernel driver because the > kernel has need to send mailbox commands internally and it is > fundamental to RAS and provisioning flows that the kernel have this > coordination. What are the motivations for an in-band Switch CCI command > submission path? > > It could be the case that you have a self-evident example in mind that I > have thus far failed to realize. > There are possibilities, but for now it's a transport driver just like MCTP etc with a well defined chardev interface, with documented ioctl interface etc (which I'd keep inline with one the CXL mailbox uses just to avoid reinventing the wheel - I'd prefer to use that directly to avoid divergence but I don't care that much). As far as I can see, with the security / blast radius concern alleviated by disabling this if lockdown is in use + taint for unaudited commands (and a nasty sounding config similar to the cxl mailbox one) there is little reason not to take such a driver into the kernel. It has next to no maintenance impact outside of itself and a bit of library code which I've proposed pushing down to the level of MMPT (so PCI not CXL) if you think that is necessary. We want interrupt handling and basic access controls / command interface to userspace. Apologies if I'm grumpy - several long days of battling cpu hotplug code. Jonathan