From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joerg Roedel Subject: Re: [RFC PATCH] iommu/vt-d: Add IOTLB flush support for kernel addresses Date: Fri, 23 Oct 2015 14:42:58 +0200 Message-ID: <20151023124257.GB27420@8bytes.org> References: <1445356379.4486.56.camel@infradead.org> <20151020160328.GV27420@8bytes.org> <1445357824.4486.65.camel@infradead.org> <20151023102043.GZ27420@8bytes.org> <1445596413.4113.175.camel@infradead.org> <20151023110359.GA27420@8bytes.org> <1445600226.4113.196.camel@infradead.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <1445600226.4113.196.camel-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: David Woodhouse Cc: "linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org" , iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Sudeep Dutt List-Id: iommu@lists.linux-foundation.org T24gRnJpLCBPY3QgMjMsIDIwMTUgYXQgMTI6Mzc6MDZQTSArMDEwMCwgRGF2aWQgV29vZGhvdXNl IHdyb3RlOgo+IEl0J3MgbW9yZSB0aGFuIHRoYXQg4oCUIGl0J3MgZXF1aXZhbGVudCB0byB0aGUg c2l0dWF0aW9uICp3aXRoKiB0aGUKPiBJT01NVS4KPiAKPiBIYXZpbmcgYSAqc2VwYXJhdGUqIFBB U0lEIHdoaWNoIGlzIHRoZSBvbmx5IFBBU0lEIHdlIGNhbiB1c2UgZm9yIGtlcm5lbAo+IG1vZGUg aXMgKm5vdCogYSBzZWN1cml0eSBpbXByb3ZlbWVudC4gSW4gdGhlIGdlbmVyYWwgY2FzZSwgaWYg YSB1c2VyCj4gY2FuIHRyaWNrIHRoZSBkZXZpY2UgaW50byBzZXR0aW5nIHRoZSAnc3VwZXJ2aXNv ciBtb2RlJyBiaXQgb24gYSBnaXZlbgo+IGFjY2VzcywgaXQgY291bGQgcHJvYmFibHkganVzdCBh cyBlYXNpbHkgdHJpY2sgdGhlIGRldmljZSBpbnRvIHVzaW5nCj4gdGhlIHNlcGFyYXRlIGtlcm5l bCBQQVNJRCBmb3IgdGhhdCBhY2Nlc3MuIEluIG5laXRoZXIgY2FzZSBpcyBpdCBhcwo+IHNpbXBs ZSBhcyBqdXN0IGFza2luZyB0aGUgZGV2aWNlIHRvIHVzZSBhIGtlcm5lbCBhZGRyZXNzLgo+IAo+ IEknbSBub3QgcHJvcG9zaW5nIGl0IGZvciB0aGF0IHJlYXNvbiwgd2hpY2ggaXMgd2h5IEknbSBv YmplY3RpbmcgdG8KPiB5b3VyICd3ZSBoYXZlIHRvLi4uJyByZXNwb25zZS4gQWx0aG91Z2ggbWF5 YmUgSSBzaG91bGQgc2h1dCB1cCwgYmVjYXVzZQo+IEknbSBwbGVhc2VkIHlvdSBhcmVuJ3Qgb2Jq ZWN0aW5nIHRvIG15IHBsYW4gYW5kIHNheWluZyB0aGF0IHdlICpkbyoKPiBuZWVkIHRvIHBlcm1p dCBzdXBlcnZpc29yLW1vZGUgYWNjZXNzIGluIG5vcm1hbCBQQVNJRHMuCgpBdCBiZXN0IEknZCBs aWtlIHRvIGF2b2lkIHN1cGVydmlzb3IgYWNjZXNzIGZvciBkZXZpY2VzIGF0IGFsbCwgYnV0CnRo ZXJlIHNlZW1zIHRvIGJlIGEgbmVlZCBmb3IgaXQsIHNvIEkgbG9va3MgbGlrZSB3ZSBuZWVkIHRv IHByb3ZpZGUgaXQuClRoZXJlZm9yZSBJIHRoaW5rIHRoYXQgeW91ciBpZGVhIHRvIGhhdmUgYSBz ZXBlcmF0ZSBQQVNJRCBmb3Iga2VybmVsCmFjY2VzcywgYW5kIG9ubHkga2VybmVsIGFjY2Vzcywg aXMgYSBnb29kIG9uZS4gV2UgZXZlbiBkb24ndCBuZWVkIHRvIHVzZQphIGRlZmluZWQgUEFTSUQs IHdlIGNhbiByYW5kb21pemUgdGhlIFBBU0lEIHVzZWQgZm9yIGtlcm5lbCBhY2Nlc3NlcyBhbmQK bWFrZSBpdCBoYXJkZXIgdG8gZ3Vlc3MgdGhpcyB3YXkuCgpCdXQgaGF2aW5nIGJvdGgsIGtlcm5l bCBhbmQgc3VwZXJ2aXNvciBhY2Nlc3MsIGFsbG93ZWQgZm9yIGEgUEFTSUQgaXMKYW5vdGhlciBz dG9yeSwgYW5kIEkgdGhpbmsgd2UgbmVlZCB0byBiZSBjYXJlZnVsIHdpdGggdGhhdCAob3IgYXQg bGVhc3QKYXZvaWQgdGhhdCB0aGUgZHJpdmVyIHdyaXRlcnMgbmVlZCB0byBjYXJlIHRoYXQgbXVj aCBhYm91dCBpdCB0byBwcmV2ZW50CnVzZXJzcGFjZSBmcm9tIGdldHRpbmcgYWNjZXNzIHRvIGtl cm5lbCBtZW1vcnkpLgoKPiBZb3UgbWVhbiBhbiBpbmxpbmUgZnVuY3Rpb24gd2hpY2ggY2hlY2tz IGZvciBpb21tdS0+a2VybmVsX3N2bSDiiIAgaW9tbXU/Cj4gQW5kIGRvZXMgdGhlIGVxdWl2YWxl bnQgZm9yIG90aGVyIElPTU1Vcz8gSSB3b3VsZG4ndCB3YW50IElPTU1VCj4gLXNwZWNpZmljIGNv ZGUgaW4gdGhlcmU7IGp1c3QgYSBkZWNpc2lvbiBhYm91dCB3aGV0aGVyIHRvIGNhbGwgdGhlIG91 dAo+IC1vZi1saW5lIGZ1bmN0aW9uLgo+IAo+IE9yIG1heWJlIGlmIHdlIGFyZSBtYWtpbmcgUEFT SUQgaGFuZGxpbmcgZ2VuZXJpYyBhbmQgc3lzdGVtLXdpZGUsIGl0Cj4gcmVhbGx5IGRvZXMgYmVj b21lIGEgY2FzZSBvZiAnaWYgKGluaXRfbW0ucGFzaWQgIT0gLTEpJyAuLi4/CgpZZXMsIHNvbWV0 aGluZyBsaWtlIHRoYXQsIGFuZCBvZiBjb3Vyc2UgaW5kZXBlbmRlbnQgb2YgdGhlIGlvbW11LiBX aGVuCndlIGhhdmUgYSBzeXN0ZW0td2lkZSBQQVNJRCByZWdpc3RyeSB3ZSBjYW4gY2hlY2sgYWdh aW5zdCB0aGF0LCBvcgppbnRyb2R1Y2UgYSBnbG9iYWwgcmVhZF9tb3N0bHkgZmxhZy4gVXNpbmcg aW5pdF9tbSByZWZjb3VudGluZyBvciBmbGFncwphbHNvIHNvdW5kcyBsaWtlIGEgZ29vZCBpZGVh LgoKCglKb2VyZwoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KaW9tbXUgbWFpbGluZyBsaXN0CmlvbW11QGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0 dHBzOi8vbGlzdHMubGludXhmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2lvbW11 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) by kanga.kvack.org (Postfix) with ESMTP id B13D96B0038 for ; Fri, 23 Oct 2015 08:43:03 -0400 (EDT) Received: by wicll6 with SMTP id ll6so29650250wic.0 for ; Fri, 23 Oct 2015 05:43:03 -0700 (PDT) Received: from theia.8bytes.org (8bytes.org. [81.169.241.247]) by mx.google.com with ESMTPS id bw2si24655232wjc.127.2015.10.23.05.42.58 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Oct 2015 05:42:58 -0700 (PDT) Date: Fri, 23 Oct 2015 14:42:58 +0200 From: Joerg Roedel Subject: Re: [RFC PATCH] iommu/vt-d: Add IOTLB flush support for kernel addresses Message-ID: <20151023124257.GB27420@8bytes.org> References: <1445356379.4486.56.camel@infradead.org> <20151020160328.GV27420@8bytes.org> <1445357824.4486.65.camel@infradead.org> <20151023102043.GZ27420@8bytes.org> <1445596413.4113.175.camel@infradead.org> <20151023110359.GA27420@8bytes.org> <1445600226.4113.196.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1445600226.4113.196.camel@infradead.org> Sender: owner-linux-mm@kvack.org List-ID: To: David Woodhouse Cc: "linux-mm@kvack.org" , iommu@lists.linux-foundation.org, Sudeep Dutt On Fri, Oct 23, 2015 at 12:37:06PM +0100, David Woodhouse wrote: > It's more than that a?? it's equivalent to the situation *with* the > IOMMU. > > Having a *separate* PASID which is the only PASID we can use for kernel > mode is *not* a security improvement. In the general case, if a user > can trick the device into setting the 'supervisor mode' bit on a given > access, it could probably just as easily trick the device into using > the separate kernel PASID for that access. In neither case is it as > simple as just asking the device to use a kernel address. > > I'm not proposing it for that reason, which is why I'm objecting to > your 'we have to...' response. Although maybe I should shut up, because > I'm pleased you aren't objecting to my plan and saying that we *do* > need to permit supervisor-mode access in normal PASIDs. At best I'd like to avoid supervisor access for devices at all, but there seems to be a need for it, so I looks like we need to provide it. Therefore I think that your idea to have a seperate PASID for kernel access, and only kernel access, is a good one. We even don't need to use a defined PASID, we can randomize the PASID used for kernel accesses and make it harder to guess this way. But having both, kernel and supervisor access, allowed for a PASID is another story, and I think we need to be careful with that (or at least avoid that the driver writers need to care that much about it to prevent userspace from getting access to kernel memory). > You mean an inline function which checks for iommu->kernel_svm a?? iommu? > And does the equivalent for other IOMMUs? I wouldn't want IOMMU > -specific code in there; just a decision about whether to call the out > -of-line function. > > Or maybe if we are making PASID handling generic and system-wide, it > really does become a case of 'if (init_mm.pasid != -1)' ...? Yes, something like that, and of course independent of the iommu. When we have a system-wide PASID registry we can check against that, or introduce a global read_mostly flag. Using init_mm refcounting or flags also sounds like a good idea. Joerg -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org