[RFC PATCH v2 5/5] dma-mapping: Add doc for memory encryption

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mostafa Saleh <smostafa@google.com>
To: iommu@lists.linux.dev, linux-kernel@vger.kernel.org
Cc: robin.murphy@arm.com, m.szyprowski@samsung.com, will@kernel.org,
	 maz@kernel.org, suzuki.poulose@arm.com, catalin.marinas@arm.com,
	 jiri@resnulli.us, jgg@ziepe.ca, aneesh.kumar@kernel.org,
	 Mostafa Saleh <smostafa@google.com>
Subject: [RFC PATCH v2 5/5] dma-mapping: Add doc for memory encryption
Date: Mon, 30 Mar 2026 14:50:43 +0000	[thread overview]
Message-ID: <20260330145043.1586623-6-smostafa@google.com> (raw)
In-Reply-To: <20260330145043.1586623-1-smostafa@google.com>

Add a document for memory encryption usage with dma-direct.

Signed-off-by: Mostafa Saleh <smostafa@google.com>
---
 .../core-api/dma-direct-memory-encryption.rst | 77 +++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 Documentation/core-api/dma-direct-memory-encryption.rst

diff --git a/Documentation/core-api/dma-direct-memory-encryption.rst b/Documentation/core-api/dma-direct-memory-encryption.rst
new file mode 100644
index 000000000000..a780279292b5
--- /dev/null
+++ b/Documentation/core-api/dma-direct-memory-encryption.rst
@@ -0,0 +1,77 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+============================================
+DMA Direct and Memory Encryption Integration
+============================================
+
+Introduction
+------------
+Modern platforms introduce memory encryption features (e.g., AMD SEV, Intel TDX,
+ARM CCA, and pKVM) typically for CoCo when running protected virtual machines.
+
+These guests typically boot with their memory encrypted by default.
+
+In some cases this memory needs to be accessed by the untrusted host or the
+VMM which then requires this memory to be decrypted. One typical case is
+dealing with emulated device (e.g., virtio) which are handled by direct-dma
+code as these devices are not behind an IOMMU.
+
+That means, the memory used by these devices must be decrypted before accessed
+by the untrusted host.
+
+It must be clarified that encrypted/decrypted may not always be
+cryptographic; in a broader sense, a decrypted page means that it is
+accessible or "shared" with the untrusted host.
+
+Ownership
+---------
+The direct-dma layer deals with memory encryption in two distinct scenarios:
+
+1. **Externally Managed Decryption (e.g., Restricted DMA Pools)**
+   In some setups (like a device restricted to a specific SWIOTLB pool, i.e.,
+   `DMA_RESTRICTED_POOL`), an entire region of memory is pre-decrypted during
+   boot or pool initialization. The memory is owned by the pool, and the
+   transitions (encryption/decryption) are **not** managed by direct-dma on
+   a per-allocation basis.
+   See Documentation/core-api/swiotlb.rst
+
+2. **DMA Direct Managed Decryption (e.g., `force_dma_unencrypted()`)**
+   For standard coherent DMA allocations the direct-dma layer is explicitly
+   responsible for managing the decryption. It must decrypt the pages upon
+   allocation and re-encrypt them upon freeing.
+
+To cleanly separate these concerns, the core logic is abstracted via three
+internal helpers:
+
+* ``dma_external_decryption(dev)``: Returns true if the pages are decrypted but
+  managed externally. For example, if the device allocates from a restricted
+  DMA pool.
+* ``dma_owns_decryption(dev)``: Returns true if the pages need to be explicitly
+  decrypted and managed by the direct-dma layer (i.e., the architecture forces
+  unencrypted DMA, and it's not handled by an external pool).
+* ``is_dma_decrypted(dev)``: Returns true if the memory being used is in a
+  decrypted state, regardless of who manages it.
+
+Addressing and Page Protections
+-------------------------------
+When memory is decrypted (whether externally or by direct-dma), the layer must
+adjust physical-to-DMA address conversions and page protections:
+
+* **DMA Address Conversion:**
+  Decrypted memory often requires a specific bit to be cleared or set in the DMA
+  address (e.g., stripping the encryption bit). If ``is_dma_decrypted(dev)`` is
+  true, the conversion uses ``phys_to_dma_unencrypted()`` instead of the standard
+  ``phys_to_dma()``.
+
+* **Page Protections (Remap and Mmap):**
+  When remapping decrypted pages into the kernel virtual address space (vmalloc)
+  or mapping them to user space via ``mmap()``, the page protection attributes
+  must reflect the decrypted state. If ``is_dma_decrypted(dev)`` is true, the
+  layer applies ``pgprot_decrypted(prot)`` to ensure the CPU accesses the memory
+  with the correct encryption attributes.
+
+Notes
+-----
+In many cases when memory encryption/decryption fails the page will be leaked,
+that's was added for TDX, where ``set_memory_encrypted()`` or
+``set_memory_decrypted()``may fail while the page remains shared.
-- 
2.53.0.1185.g05d4b7b318-goog

     prev parent reply	other threads:[~2026-03-30 14:51 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-30 14:50 [RFC PATCH v2 0/5] dma-mapping: Fixes for memory encryption Mostafa Saleh
2026-03-30 14:50 ` [RFC PATCH v2 1/5] dma-mapping: Avoid double decrypting with DMA_RESTRICTED_POOL Mostafa Saleh
2026-03-30 15:06   ` Jason Gunthorpe
2026-03-30 20:43     ` Mostafa Saleh
2026-03-31 11:34       ` Suzuki K Poulose
2026-03-31 12:50         ` Mostafa Saleh
2026-04-13  6:00       ` Aneesh Kumar K.V
2026-04-13 12:35         ` Jason Gunthorpe
2026-04-13 15:25           ` Aneesh Kumar K.V
2026-04-13 16:10             ` Jason Gunthorpe
2026-03-30 14:50 ` [RFC PATCH v2 2/5] dma-mapping: Use the correct phys_to_dma() for DMA_RESTRICTED_POOL Mostafa Saleh
2026-03-30 15:09   ` Jason Gunthorpe
2026-03-30 20:47     ` Mostafa Saleh
2026-03-30 22:28       ` Jason Gunthorpe
2026-04-13  6:08   ` Aneesh Kumar K.V
2026-04-15 20:27     ` Mostafa Saleh
2026-04-16  6:50       ` Aneesh Kumar K.V
2026-04-16  8:35         ` Mostafa Saleh
2026-03-30 14:50 ` [RFC PATCH v2 3/5] dma-mapping: Decrypt memory on remap Mostafa Saleh
2026-03-30 15:19   ` Jason Gunthorpe
2026-03-30 20:49     ` Mostafa Saleh
2026-03-30 22:30       ` Jason Gunthorpe
2026-04-13  6:23   ` Aneesh Kumar K.V
2026-04-15 20:31     ` Mostafa Saleh
2026-03-30 14:50 ` [RFC PATCH v2 4/5] dma-mapping: Refactor memory encryption usage Mostafa Saleh
2026-03-30 15:27   ` Jason Gunthorpe
2026-03-30 14:50 ` Mostafa Saleh [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a780279292b )
 OR (
bs:"[RFC PATCH v2 5/5] dma-mapping: Add doc for memory encryption" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260330145043.1586623-6-smostafa@google.com \
    --to=smostafa@google.com \
    --cc=aneesh.kumar@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=iommu@lists.linux.dev \
    --cc=jgg@ziepe.ca \
    --cc=jiri@resnulli.us \
    --cc=linux-kernel@vger.kernel.org \
    --cc=m.szyprowski@samsung.com \
    --cc=maz@kernel.org \
    --cc=robin.murphy@arm.com \
    --cc=suzuki.poulose@arm.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.