From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY
Date: Sun, 05 Jul 2026 22:25:03 +0000 [thread overview]
Message-ID: <20260705222503.B3F791F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-10-djbw@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] Global device trust default is bypassed for non-PCI devices during IOMMU initialization because `device_initialize_trust()` fails to initialize `bus_trust`.
- [High] Driver binding overwrites `dev->bus_trust`, disabling dynamic IOMMU DMA protections and breaking PCI trust inheritance for downstream devices.
- [Low] Missing `#else` stub for `device_untrusted()` causes compilation errors when `CONFIG_DEVICE_TRUST` is disabled.
- [Low] `enum device_trust` is used as a value type in `struct device`, but it is neither defined nor forward-declared in `<linux/device.h>`.
--
commit e078ccf16f66fc647e7473fedd70781ac6e8fd5d
Author: Dan Williams <djbw@kernel.org>
PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY
This commit elevates the PCI "untrusted" concept to a core device trust
level called DEVICE_TRUST_ADVERSARY. It adds a new bus_trust field to
struct device and uses it to manage trust states before device_add(),
syncing it to the private device trust structure afterwards. It updates
IOMMU and PCI subsystems to use the generic device_untrusted() interface.
> diff --git a/drivers/base/trust.c b/drivers/base/trust.c
> index 0fd494e1557dc..8efbe5c512501 100644
> --- a/drivers/base/trust.c
> +++ b/drivers/base/trust.c
> @@ -6,15 +6,28 @@
> #include <linux/module.h>
> #include "base.h"
>
> +/* If the bus did not initialize trust, set a default */
> void device_initialize_trust(struct device *dev)
> {
> + dev->p->trust = dev->bus_trust;
> if (dev->p->trust == DEVICE_TRUST_UNSET)
> dev->p->trust = DEVICE_DEFAULT_TRUST;
> }
[Severity: High]
Does this bypass the global trust default for non-PCI devices?
The fallback logic updates dev->p->trust to DEVICE_DEFAULT_TRUST but leaves
dev->bus_trust as DEVICE_TRUST_UNSET (0). Since device_untrusted() strictly
evaluates dev->bus_trust, does this leave the trust uninitialized?
Furthermore, IOMMU probes devices via BUS_NOTIFY_ADD_DEVICE in device_add()
before device_initialize_trust() is called. Is bus_trust always 0 during
IOMMU probing for these non-PCI devices, disabling protections like SWIOTLB
bounce buffering?
[ ... ]
> @@ -30,18 +43,23 @@ static enum device_trust driver_trust(struct module *mod)
> * policy on trusting devices it attaches, update the device's trust
> * level from that policy. Trust privileges beyond driver bind are
> * realized in a bus's ->dma_configure().
> + *
> + * Reflect the operational trust level back to the public indicator.
> */
> bool device_trust_bind(const struct device_driver *drv, struct device *dev)
> {
> enum device_trust drv_trust = driver_trust(drv->owner);
>
> - if (drv_trust != DEVICE_TRUST_UNSET)
> + if (drv_trust != DEVICE_TRUST_UNSET) {
> dev->p->trust = drv_trust;
> + dev->bus_trust = drv_trust;
> + }
> return dev->p->trust > DEVICE_TRUST_NONE;
> }
[Severity: High]
Does overwriting dev->bus_trust with the driver's software trust level disable
dynamic IOMMU DMA protections?
When device_untrusted() evaluates dev->bus_trust after binding, it will
transition to false. Will this silently disable protections like SWIOTLB
bounce buffering in dev_use_swiotlb() for active untrusted devices?
Also, if an untrusted parent bridge (e.g., a Thunderbolt port) binds to the
pcieport driver, its bus_trust becomes AUTO. Will hot-plugged downstream
devices fail to inherit the untrusted state because pci_untrusted(parent)
evaluates to false in set_pcie_untrusted()?
[ ... ]
> diff --git a/include/linux/device.h b/include/linux/device.h
> index 7b2baffdd2f55..3e203d573a580 100644
> --- a/include/linux/device.h
> +++ b/include/linux/device.h
> @@ -791,6 +793,7 @@ struct device {
> struct device_physical_location *physical_location;
>
> enum device_removable removable;
> + enum device_trust bus_trust;
>
> DECLARE_BITMAP(flags, DEV_FLAG_COUNT);
> };
[Severity: Low]
Is enum device_trust an incomplete type here?
Since <linux/device/trust.h> is not included in <linux/device.h>, does using
it as a value-type field cause a compilation error in files that don't include
<linux/device/trust.h> manually?
[ ... ]
> diff --git a/include/linux/device/trust.h b/include/linux/device/trust.h
> index 3377d26dc485d..283d3196e5e69 100644
> --- a/include/linux/device/trust.h
> +++ b/include/linux/device/trust.h
[ ... ]
> #ifdef CONFIG_DEVICE_TRUST
> +bool device_untrusted(struct device *dev);
> void module_driver_trust(struct module *mod, const char *val);
> -void module_driver_trust_init(struct module *mod, bool distrust);
> +void module_driver_trust_init(struct module *mod, bool require_trust);
> #else
> static inline void module_driver_trust(struct module *mod, const char *val)
> {
> pr_warn("module: %s: trust= support disabled\n", mod->name);
> }
> -static inline void module_driver_trust_init(struct module *mod, bool distrust)
> +static inline void module_driver_trust_init(struct module *mod, bool require_trust)
> {
> }
> #endif
[Severity: Low]
Does this missing #else stub for device_untrusted() cause build failures?
Since CONFIG_DEVICE_TRUST is selected by PCI, configuring a kernel without PCI
but with IOMMU DMA support leaves device_untrusted() implicitly declared in
core IOMMU code like dev_use_swiotlb(). Should there be a fallback inline
function here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=9
next prev parent reply other threads:[~2026-07-05 22:25 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17 ` sashiko-bot
2026-07-06 13:45 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25 ` sashiko-bot [this message]
2026-07-06 13:49 ` Jason Gunthorpe
2026-07-07 13:04 ` Robin Murphy
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28 ` sashiko-bot
2026-07-06 12:42 ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55 ` Dan Williams (nvidia)
2026-07-07 12:43 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705222503.B3F791F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=djbw@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.