From: Jason Gunthorpe <jgg@nvidia.com>
To: Robin Murphy <robin.murphy@arm.com>
Cc: Alex Williamson <alex.williamson@redhat.com>,
Lu Baolu <baolu.lu@linux.intel.com>,
Cornelia Huck <cohuck@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
iommu@lists.linux-foundation.org, Joerg Roedel <joro@8bytes.org>,
kvm@vger.kernel.org,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Will Deacon <will@kernel.org>, Christoph Hellwig <hch@lst.de>,
"Tian, Kevin" <kevin.tian@intel.com>
Subject: Re: [PATCH v2 0/4] Make the iommu driver no-snoop block feature consistent
Date: Thu, 7 Apr 2022 16:08:24 -0300 [thread overview]
Message-ID: <20220407190824.GS2120790@nvidia.com> (raw)
In-Reply-To: <77482321-2e39-fc7c-09b6-e929a851a80f@arm.com>
On Thu, Apr 07, 2022 at 07:02:03PM +0100, Robin Murphy wrote:
> On 2022-04-07 18:43, Jason Gunthorpe wrote:
> > On Thu, Apr 07, 2022 at 06:03:37PM +0100, Robin Murphy wrote:
> > > At a glance, this all looks about the right shape to me now, thanks!
> >
> > Thanks!
> >
> > > Ideally I'd hope patch #4 could go straight to device_iommu_capable() from
> > > my Thunderbolt series, but we can figure that out in a couple of weeks once
> >
> > Yes, this does helps that because now the only iommu_capable call is
> > in a context where a device is available :)
>
> Derp, of course I have *two* VFIO patches waiting, the other one touching
> the iommu_capable() calls (there's still IOMMU_CAP_INTR_REMAP, which, much
> as I hate it and would love to boot all that stuff over to
> drivers/irqchip,
Oh me too...
> it's not in my way so I'm leaving it be for now). I'll have to rebase that
> anyway, so merging this as-is is absolutely fine!
This might help your effort - after this series and this below there
are no 'bus' users of iommu_capable left at all.
From 55d72be40bc0a031711e318c8dd1cb60673d9eca Mon Sep 17 00:00:00 2001
From: Jason Gunthorpe <jgg@nvidia.com>
Date: Thu, 7 Apr 2022 16:00:50 -0300
Subject: [PATCH] vfio: Move the IOMMU_CAP_INTR_REMAP to a context with a
struct device
This check is done to ensure that the device we want to use is fully
isolated and the platform does not allow the device's MemWr TLPs to
trigger unauthorized MSIs.
Instead of doing it in the container context where we only have a group,
move the check to open_device where we actually know the device.
This is still security safe as userspace cannot trigger an MemWr TLPs
without obtaining a device fd.
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/vfio/vfio.c | 9 +++++++++
drivers/vfio/vfio.h | 1 +
drivers/vfio/vfio_iommu_type1.c | 28 +++++++++++++++++-----------
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
index 9edad767cfdad3..8db5cea1dc1d75 100644
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -1355,6 +1355,15 @@ static int vfio_group_get_device_fd(struct vfio_group *group, char *buf)
if (IS_ERR(device))
return PTR_ERR(device);
+ /* Confirm this device is compatible with the container */
+ if (group->type == VFIO_IOMMU &&
+ group->container->iommu_driver->ops->device_ok) {
+ ret = group->container->iommu_driver->ops->device_ok(
+ group->container->iommu_data, device->dev);
+ if (ret)
+ goto err_device_put;
+ }
+
if (!try_module_get(device->dev->driver->owner)) {
ret = -ENODEV;
goto err_device_put;
diff --git a/drivers/vfio/vfio.h b/drivers/vfio/vfio.h
index a6713022115155..3db60de71d42eb 100644
--- a/drivers/vfio/vfio.h
+++ b/drivers/vfio/vfio.h
@@ -66,6 +66,7 @@ struct vfio_iommu_driver_ops {
struct iommu_group *group);
void (*notify)(void *iommu_data,
enum vfio_iommu_notify_type event);
+ int (*device_ok)(void *iommu_data, struct device *device);
};
int vfio_register_iommu_driver(const struct vfio_iommu_driver_ops *ops);
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index c13b9290e35759..5e966fb0ab9202 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -2153,6 +2153,21 @@ static void vfio_iommu_iova_insert_copy(struct vfio_iommu *iommu,
list_splice_tail(iova_copy, iova);
}
+static int vfio_iommu_device_ok(void *iommu_data, struct device *device)
+{
+ bool msi_remap;
+
+ msi_remap = irq_domain_check_msi_remap() ||
+ iommu_capable(device->bus, IOMMU_CAP_INTR_REMAP);
+
+ if (!allow_unsafe_interrupts && !msi_remap) {
+ pr_warn("%s: No interrupt remapping support. Use the module param \"allow_unsafe_interrupts\" to enable VFIO IOMMU support on this platform\n",
+ __func__);
+ return -EPERM;
+ }
+ return 0;
+}
+
static int vfio_iommu_type1_attach_group(void *iommu_data,
struct iommu_group *iommu_group, enum vfio_group_type type)
{
@@ -2160,7 +2175,7 @@ static int vfio_iommu_type1_attach_group(void *iommu_data,
struct vfio_iommu_group *group;
struct vfio_domain *domain, *d;
struct bus_type *bus = NULL;
- bool resv_msi, msi_remap;
+ bool resv_msi;
phys_addr_t resv_msi_base = 0;
struct iommu_domain_geometry *geo;
LIST_HEAD(iova_copy);
@@ -2257,16 +2272,6 @@ static int vfio_iommu_type1_attach_group(void *iommu_data,
INIT_LIST_HEAD(&domain->group_list);
list_add(&group->next, &domain->group_list);
- msi_remap = irq_domain_check_msi_remap() ||
- iommu_capable(bus, IOMMU_CAP_INTR_REMAP);
-
- if (!allow_unsafe_interrupts && !msi_remap) {
- pr_warn("%s: No interrupt remapping support. Use the module param \"allow_unsafe_interrupts\" to enable VFIO IOMMU support on this platform\n",
- __func__);
- ret = -EPERM;
- goto out_detach;
- }
-
/*
* If the IOMMU can block non-coherent operations (ie PCIe TLPs with
* no-snoop set) then VFIO always turns this feature on because on Intel
@@ -3159,6 +3164,7 @@ static const struct vfio_iommu_driver_ops vfio_iommu_driver_ops_type1 = {
.open = vfio_iommu_type1_open,
.release = vfio_iommu_type1_release,
.ioctl = vfio_iommu_type1_ioctl,
+ .device_ok = vfio_iommu_device_ok,
.attach_group = vfio_iommu_type1_attach_group,
.detach_group = vfio_iommu_type1_detach_group,
.pin_pages = vfio_iommu_type1_pin_pages,
--
2.35.1
next prev parent reply other threads:[~2022-04-07 19:08 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 15:23 [PATCH v2 0/4] Make the iommu driver no-snoop block feature consistent Jason Gunthorpe
2022-04-07 15:23 ` [PATCH v2 1/4] iommu: Introduce the domain op enforce_cache_coherency() Jason Gunthorpe
2022-04-08 8:05 ` Tian, Kevin
2022-04-09 12:44 ` Lu Baolu
2022-04-11 14:11 ` Jason Gunthorpe
2022-04-08 8:27 ` Tian, Kevin
2022-04-07 15:23 ` [PATCH v2 2/4] vfio: Move the Intel no-snoop control off of IOMMU_CACHE Jason Gunthorpe
2022-04-08 8:16 ` Tian, Kevin
2022-04-09 12:50 ` Lu Baolu
2022-04-12 7:44 ` Tian, Kevin
2022-04-12 13:13 ` Lu Baolu
2022-04-12 13:20 ` Jason Gunthorpe
2022-04-12 23:04 ` Tian, Kevin
2022-04-13 11:37 ` Lu Baolu
2022-04-08 15:47 ` Alex Williamson
2022-04-11 14:13 ` Jason Gunthorpe
2022-04-07 15:23 ` [PATCH v2 3/4] iommu: Redefine IOMMU_CAP_CACHE_COHERENCY as the cap flag for IOMMU_CACHE Jason Gunthorpe
2022-04-08 8:21 ` Tian, Kevin
2022-04-08 12:21 ` Jason Gunthorpe
2022-04-09 12:51 ` Lu Baolu
2022-04-07 15:23 ` [PATCH v2 4/4] vfio: Require that devices support DMA cache coherence Jason Gunthorpe
2022-04-08 8:26 ` Tian, Kevin
2022-04-08 12:22 ` Jason Gunthorpe
2022-04-08 13:28 ` Robin Murphy
2022-04-08 13:37 ` Jason Gunthorpe
2022-04-08 15:48 ` Alex Williamson
2022-07-01 4:57 ` Alexey Kardashevskiy
2022-07-01 6:07 ` Tian, Kevin
2022-07-01 6:24 ` Alexey Kardashevskiy
2022-04-07 17:03 ` [PATCH v2 0/4] Make the iommu driver no-snoop block feature consistent Robin Murphy
2022-04-07 17:43 ` Jason Gunthorpe
2022-04-07 18:02 ` Robin Murphy
2022-04-07 19:08 ` Jason Gunthorpe [this message]
2022-04-07 19:27 ` Robin Murphy
2022-04-08 12:18 ` Jason Gunthorpe
2022-04-08 13:11 ` Robin Murphy
2022-04-08 13:35 ` Jason Gunthorpe
2022-04-08 17:44 ` Robin Murphy
2022-04-12 2:51 ` Tian, Kevin
2022-04-08 9:08 ` Tian, Kevin
2022-04-08 10:11 ` Robin Murphy
2022-04-12 2:49 ` Tian, Kevin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220407190824.GS2120790@nvidia.com \
--to=jgg@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=baolu.lu@linux.intel.com \
--cc=cohuck@redhat.com \
--cc=dwmw2@infradead.org \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox