Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp3234938lqo;
        Wed, 15 May 2024 04:01:05 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWh9Ps7/1YeFIBoVnuM2PaLDidCn9+pGi1yT37zz8rxvQHQHAm3Me9FZ07eG390S6bfxmtTWuU/WGqMRoErnpRQ90igC2UqvfdQkecKIA==
X-Google-Smtp-Source: AGHT+IGbC9aSygHv2sWag+v3VVGeTX34CcD1ohOCqZpfXtLggs5SGOapZHiqwLUTvdmbNXXKu50f
X-Received: by 2002:a9d:6b0d:0:b0:6f0:6ef7:ca39 with SMTP id 46e09a7af769-6f0e9133a7amr18811965a34.9.1715770865460;
        Wed, 15 May 2024 04:01:05 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715770865; cv=pass;
        d=google.com; s=arc-20160816;
        b=m/PhKfIuUaVjPGTgijEBbkPfR+UZk6JcDVyqSBUDTgnPfRfUsThumwxSQ0/4/lUYxs
         jfeECbHJj/vmLU332iwSlDaGilztjkdWm+IyGiJqyxgMWgVIVtQHS+XdDEEK8onDSxd6
         a7ADXcIcpeH8m1ILpzbF2Z3FhUwBa8a19ziHJXsH7IVDm99K8r4OMIUpUCViP0byaMzD
         2mRr5auAYxIxGTuf4tksV8t2UiHVRNpCCjECTIhL4b4I8vHTxqW7tOIfVZMDCrE4KHv3
         b3lLyay5oe5tDsmhx6XTtdl9P340eSBjyRAsnSgsUCMVSNzFloIQ3fgVLGoO8uBcx5RN
         LgvA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=0RQxiorsvOf1WQKA6ouaSJrR7cAlPi2aVfNs4sfIKnA=;
        fh=0XAGB15uw/ad0w0rXWRmuDKjWgzEQ95h+7C2O4TyTQo=;
        b=aqAgco7+fjaM424evkJhpVZ/Lwx8WqCWfb5J74UDxdIAFTzLTFiafhY+h1dDHjvt3S
         asAVFAewj/ALHW1hflTovFLLkruvo4FFabemZxaXjfPqSVj3TSLccyrBJyKnVG9uYl/n
         DbaJn3W1AtessBiEycYtMOvqMzBvZLqwfpKF8u1TOCHjkAaNezQ2GupuuRPnYLZCdyr6
         BpUjdnrGg9crfvAcoBtCZ9Vr5D+FeSMsNH2Dwf9HKVMIKRw7GsjWnFP5YQGYvHnsgSGU
         iqd6DF+qPcpjRTyUvZx/SYD78u7weIxzal6xDZKeAq3GXzpTjNZKJnRUJEtud9UzeP/x
         asnQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com);
       spf=pass (google.com: domain of linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Return-Path: <linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id 46e09a7af769-6f0e73e45cfsi4477981a34.315.2024.05.15.04.01.05
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 15 May 2024 04:01:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com);
       spf=pass (google.com: domain of linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179784-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id CB738283429
	for <linux.lists.archive@gmail.com>; Wed, 15 May 2024 11:01:04 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D74636D1B2;
	Wed, 15 May 2024 11:00:57 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5BFF25684;
	Wed, 15 May 2024 11:00:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715770857; cv=none; b=KW79ae24X5jAmSkRLhmpc7u+rRRQ3cEGMZYJhLuhdfKYyf9+36ewm/vsz9MdeuAvbonPDB/h1E2DwbcvTzs6mcYKZP0ndYBAJ7Pkc8BvXGuHag869c7oJvbpQOmgcsvup7MT/KhIXxvDkLWSyCS2a87pnobHwReyWW/dauu6DAI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715770857; c=relaxed/simple;
	bh=J0syEP7m8ViRgWIbwy/RsJt/oCEtIdMONMLqCdV2agU=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=jqByRfHTbxBwpEeKGeEC4SDI21uujGeTp8IukEZZD/YEPSpIAOI4EfJ4UFqiQWu/VLrzSvBpH2o6DgU2Kq/hFH0x3cLtJIYEcpcnTOVTJa+XXSsWOKm9dqXKZXJTV03t66nydAUq0bi7gmTRIjW68/sZOx+lEHDcbWchqdjztHQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 56E141042;
	Wed, 15 May 2024 04:01:18 -0700 (PDT)
Received: from [10.57.34.212] (unknown [10.57.34.212])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id AC2293F762;
	Wed, 15 May 2024 04:00:50 -0700 (PDT)
Message-ID: <4e89f047-ae70-43a8-a459-e375ca05b2c2@arm.com>
Date: Wed, 15 May 2024 12:00:49 +0100
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2 10/14] arm64: Force device mappings to be non-secure
 shared
Content-Language: en-GB
To: Catalin Marinas <catalin.marinas@arm.com>,
 Steven Price <steven.price@arm.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.linux.dev, Marc Zyngier
 <maz@kernel.org>, Will Deacon <will@kernel.org>,
 James Morse <james.morse@arm.com>, Oliver Upton <oliver.upton@linux.dev>,
 Zenghui Yu <yuzenghui@huawei.com>, linux-arm-kernel@lists.infradead.org,
 linux-kernel@vger.kernel.org, Joey Gouly <joey.gouly@arm.com>,
 Alexandru Elisei <alexandru.elisei@arm.com>,
 Christoffer Dall <christoffer.dall@arm.com>, Fuad Tabba <tabba@google.com>,
 linux-coco@lists.linux.dev,
 Ganapatrao Kulkarni <gankulkarni@os.amperecomputing.com>
References: <20240412084213.1733764-1-steven.price@arm.com>
 <20240412084213.1733764-11-steven.price@arm.com> <ZkR535Hmh3WkMYai@arm.com>
From: Suzuki K Poulose <suzuki.poulose@arm.com>
In-Reply-To: <ZkR535Hmh3WkMYai@arm.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 15/05/2024 10:01, Catalin Marinas wrote:
> On Fri, Apr 12, 2024 at 09:42:09AM +0100, Steven Price wrote:
>> From: Suzuki K Poulose <suzuki.poulose@arm.com>
>>
>> Device mappings (currently) need to be emulated by the VMM so must be
>> mapped shared with the host.
> 
> You say "currently". What's the plan when the device is not emulated?
> How would the guest distinguish what's emulated and what's not to avoid
> setting the PROT_NS_SHARED bit?

Arm CCA plans to add support for passing through real devices,
which support PCI-TDISP protocol. This would involve the Realm
authenticating the device and explicitly requesting "protected"
mapping *after* the verification (with the help of RMM).




> 
>> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
>> Signed-off-by: Steven Price <steven.price@arm.com>
>> ---
>>   arch/arm64/include/asm/pgtable.h | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
>> index f5376bd567a1..db71c564ec21 100644
>> --- a/arch/arm64/include/asm/pgtable.h
>> +++ b/arch/arm64/include/asm/pgtable.h
>> @@ -598,7 +598,7 @@ static inline void set_pud_at(struct mm_struct *mm, unsigned long addr,
>>   #define pgprot_writecombine(prot) \
>>   	__pgprot_modify(prot, PTE_ATTRINDX_MASK, PTE_ATTRINDX(MT_NORMAL_NC) | PTE_PXN | PTE_UXN)
>>   #define pgprot_device(prot) \
>> -	__pgprot_modify(prot, PTE_ATTRINDX_MASK, PTE_ATTRINDX(MT_DEVICE_nGnRE) | PTE_PXN | PTE_UXN)
>> +	__pgprot_modify(prot, PTE_ATTRINDX_MASK, PTE_ATTRINDX(MT_DEVICE_nGnRE) | PTE_PXN | PTE_UXN | PROT_NS_SHARED)
> 
> This pgprot_device() is not the only one used to map device resources.
> pgprot_writecombine() is another commonly macro. It feels like a hack to
> plug one but not the other and without any way for the guest to figure
> out what's emulated.

Agree. I have been exploring hooking this into ioremap_prot() where we
could apply the attribute accordingly. We will change it in the next 
version.

> 
> Can the DT actually place those emulated ranges in the higher IPA space
> so that we avoid randomly adding this attribute for devices?

It can, but then we kind of break the "Realm" view of the IPA space. 
i.e., right now it only knows about the "lower IPA" half and uses the 
top bit as a protection attr to access the IPA as shared.

Expanding IPA size view kind of breaks "sharing memory", where, we
must "use a different PA" for a page that is now shared.

Suzuki