From mboxrd@z Thu Jan 1 00:00:00 1970 From: Will Deacon Subject: Re: [PATCH v3 0/6] Add support for privileged mappings Date: Fri, 22 Jul 2016 17:51:07 +0100 Message-ID: <20160722165107.GH16837@arm.com> References: <20160719203655.16629-1-mitchelh@codeaurora.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20160719203655.16629-1-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Mitchel Humpherys Cc: Patrick Daly , Jeremy Gebben , Jordan Crouse , Pratik Patel , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Thomas Zeng , linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org List-Id: iommu@lists.linux-foundation.org On Tue, Jul 19, 2016 at 01:36:49PM -0700, Mitchel Humpherys wrote: > The following patch to the ARM SMMU driver: > > commit d346180e70b91b3d5a1ae7e5603e65593d4622bc > Author: Robin Murphy > Date: Tue Jan 26 18:06:34 2016 +0000 > > iommu/arm-smmu: Treat all device transactions as unprivileged > > started forcing all SMMU transactions to come through as "unprivileged". > The rationale given was that: > > (1) There is no way in the IOMMU API to even request privileged mappings. > > (2) It's difficult to implement a DMA mapper that correctly models the > ARM VMSAv8 behavior of unprivileged-writeable => > privileged-execute-never. > > This series rectifies (1) by introducing an IOMMU API for privileged > mappings and implements it in io-pgtable-arm. > > This series rectifies (2) by introducing a new dma attribute > (DMA_ATTR_PRIVILEGED) for users of the DMA API that need privileged > mappings which are inaccessible to lesser-privileged execution levels, and > implements it in the arm64 IOMMU DMA mapper. The one known user (pl330.c) > is converted over to the new attribute. > > Jordan and Jeremy can provide more info on the use case if needed, but the > high level is that it's a security feature to prevent attacks such as [1]. This all looks good to me: Acked-by: Will Deacon It looks pretty fiddly to merge, however. How are you planning to get this upstream? Will From mboxrd@z Thu Jan 1 00:00:00 1970 From: will.deacon@arm.com (Will Deacon) Date: Fri, 22 Jul 2016 17:51:07 +0100 Subject: [PATCH v3 0/6] Add support for privileged mappings In-Reply-To: <20160719203655.16629-1-mitchelh@codeaurora.org> References: <20160719203655.16629-1-mitchelh@codeaurora.org> Message-ID: <20160722165107.GH16837@arm.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Tue, Jul 19, 2016 at 01:36:49PM -0700, Mitchel Humpherys wrote: > The following patch to the ARM SMMU driver: > > commit d346180e70b91b3d5a1ae7e5603e65593d4622bc > Author: Robin Murphy > Date: Tue Jan 26 18:06:34 2016 +0000 > > iommu/arm-smmu: Treat all device transactions as unprivileged > > started forcing all SMMU transactions to come through as "unprivileged". > The rationale given was that: > > (1) There is no way in the IOMMU API to even request privileged mappings. > > (2) It's difficult to implement a DMA mapper that correctly models the > ARM VMSAv8 behavior of unprivileged-writeable => > privileged-execute-never. > > This series rectifies (1) by introducing an IOMMU API for privileged > mappings and implements it in io-pgtable-arm. > > This series rectifies (2) by introducing a new dma attribute > (DMA_ATTR_PRIVILEGED) for users of the DMA API that need privileged > mappings which are inaccessible to lesser-privileged execution levels, and > implements it in the arm64 IOMMU DMA mapper. The one known user (pl330.c) > is converted over to the new attribute. > > Jordan and Jeremy can provide more info on the use case if needed, but the > high level is that it's a security feature to prevent attacks such as [1]. This all looks good to me: Acked-by: Will Deacon It looks pretty fiddly to merge, however. How are you planning to get this upstream? Will From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752307AbcGVQvJ (ORCPT ); Fri, 22 Jul 2016 12:51:09 -0400 Received: from foss.arm.com ([217.140.101.70]:53966 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751592AbcGVQvI (ORCPT ); Fri, 22 Jul 2016 12:51:08 -0400 Date: Fri, 22 Jul 2016 17:51:07 +0100 From: Will Deacon To: Mitchel Humpherys Cc: iommu@lists.linux-foundation.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Robin Murphy , Marek Szyprowski , Jordan Crouse , Jeremy Gebben , Patrick Daly , Pratik Patel , Thomas Zeng Subject: Re: [PATCH v3 0/6] Add support for privileged mappings Message-ID: <20160722165107.GH16837@arm.com> References: <20160719203655.16629-1-mitchelh@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160719203655.16629-1-mitchelh@codeaurora.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 19, 2016 at 01:36:49PM -0700, Mitchel Humpherys wrote: > The following patch to the ARM SMMU driver: > > commit d346180e70b91b3d5a1ae7e5603e65593d4622bc > Author: Robin Murphy > Date: Tue Jan 26 18:06:34 2016 +0000 > > iommu/arm-smmu: Treat all device transactions as unprivileged > > started forcing all SMMU transactions to come through as "unprivileged". > The rationale given was that: > > (1) There is no way in the IOMMU API to even request privileged mappings. > > (2) It's difficult to implement a DMA mapper that correctly models the > ARM VMSAv8 behavior of unprivileged-writeable => > privileged-execute-never. > > This series rectifies (1) by introducing an IOMMU API for privileged > mappings and implements it in io-pgtable-arm. > > This series rectifies (2) by introducing a new dma attribute > (DMA_ATTR_PRIVILEGED) for users of the DMA API that need privileged > mappings which are inaccessible to lesser-privileged execution levels, and > implements it in the arm64 IOMMU DMA mapper. The one known user (pl330.c) > is converted over to the new attribute. > > Jordan and Jeremy can provide more info on the use case if needed, but the > high level is that it's a security feature to prevent attacks such as [1]. This all looks good to me: Acked-by: Will Deacon It looks pretty fiddly to merge, however. How are you planning to get this upstream? Will