From: Baolu Lu <baolu.lu@linux.intel.com>
To: Jason Gunthorpe <jgg@ziepe.ca>, Robin Murphy <robin.murphy@arm.com>
Cc: baolu.lu@linux.intel.com, joro@8bytes.org, will@kernel.org,
ewagner12@gmail.com, suravee.suthikulpanit@amd.com,
vashegde@amd.com, iommu@lists.linux.dev,
linux-kernel@vger.kernel.org, regressions@lists.linux.dev
Subject: Re: [PATCH] iommu: Fix def_domain_type interaction with untrusted devices
Date: Wed, 24 Apr 2024 22:05:27 +0800 [thread overview]
Message-ID: <d43d54bc-e51d-4483-80ab-c0d52572de24@linux.intel.com> (raw)
In-Reply-To: <20240424130457.GF231144@ziepe.ca>
On 2024/4/24 21:04, Jason Gunthorpe wrote:
>> Furthermore I'm pretty sure we're still letting an
>> untrusted device be hotplugged into an existing group without any
>> checks at all.
> Yes, combining trusted and untrusted in the same group, regardless of
> domain type, is fundamentally wrong and we don't check it.
I suppose this should be fixed in the PCI layer. The current algorithm
is setting external_facing to the pci port which has been marked as an
external facing port.
static void pci_acpi_set_external_facing(struct pci_dev *dev)
{
u8 val;
if (pci_pcie_type(dev) != PCI_EXP_TYPE_ROOT_PORT)
return;
if (device_property_read_u8(&dev->dev, "ExternalFacingPort", &val))
return;
/*
* These root ports expose PCIe (including DMA) outside of the
* system. Everything downstream from them is external.
*/
if (val)
dev->external_facing = 1;
}
Then, all devices connected to this port are marked as untrusted.
static void set_pcie_untrusted(struct pci_dev *dev)
{
struct pci_dev *parent;
/*
* If the upstream bridge is untrusted we treat this device
* untrusted as well.
*/
parent = pci_upstream_bridge(dev);
if (parent && (parent->untrusted || parent->external_facing))
dev->untrusted = true;
}
The above algorithms don't consider the ACS. Hence, an untrusted device
could possibly gain P2P access to other devices that are treated as
trusted. This appears to be already broken.
Thus, the impact has already beyond iommu group if I didn't overlook
anything.
Best regards,
baolu
next prev parent reply other threads:[~2024-04-24 14:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 13:00 [PATCH] iommu: Fix def_domain_type interaction with untrusted devices Robin Murphy
2024-04-16 14:33 ` Greg KH
2024-04-16 15:29 ` Jason Gunthorpe
2024-04-17 5:23 ` Vasant Hegde
2024-04-17 16:06 ` Jason Gunthorpe
2024-04-18 11:44 ` Vasant Hegde
2024-04-18 12:02 ` Jason Gunthorpe
2024-04-23 11:26 ` Robin Murphy
2024-04-24 13:04 ` Jason Gunthorpe
2024-04-24 14:05 ` Baolu Lu [this message]
2024-04-24 14:18 ` Baolu Lu
2024-04-24 14:37 ` Jason Gunthorpe
2024-04-25 1:41 ` Baolu Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d43d54bc-e51d-4483-80ab-c0d52572de24@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=ewagner12@gmail.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@lists.linux.dev \
--cc=robin.murphy@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=vashegde@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.