From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 167EEC4345F for ; Wed, 17 Apr 2024 15:13:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To:References: Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=0J5+ixQvSm+2E0CuYpaNj2qQbaJgUUhHhYLOefOsuMw=; b=TGY/NwDe+zMxHl DHojzB7kswBYPIpsYxnCMmhs7ReCfnlYQ/lu6RcR9jFY2hA7Sqce2yMd03Hb77AXIX9tKTBWUBGVg 4MIpFjOK5qXdqQsHqCtSEanrUQXii94CX1RWszZQqyPwafktQHqKAnGN8LPj4FFe2v2KW97DIoNqt sVRa0GvSUC856jJEQg8yGKSLNqPckC/GowiWTHq4SbdKRqf2wKsD0uKBfmCIF7eGN8YQb/Em45rZ7 RvubX6Q3QbXu2bXKrb7QqLM1+ygawzjEwLBt1/RP+49WvkbGG94F0DwkyKElIDA7VvwmEVVfr2leV KCtZGvpthgl+I2rlqJXg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rx6yH-0000000GWhj-2KXv; Wed, 17 Apr 2024 15:13:13 +0000 Received: from frasgout.his.huawei.com ([185.176.79.56]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rx6yC-0000000GWfd-3wdF for linux-arm-kernel@lists.infradead.org; Wed, 17 Apr 2024 15:13:11 +0000 Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4VKPVn2X6Wz6H6tJ; Wed, 17 Apr 2024 23:10:57 +0800 (CST) Received: from lhrpeml100004.china.huawei.com (unknown [7.191.162.219]) by mail.maildlp.com (Postfix) with ESMTPS id A17CF140B54; Wed, 17 Apr 2024 23:12:57 +0800 (CST) Received: from lhrpeml500005.china.huawei.com (7.191.163.240) by lhrpeml100004.china.huawei.com (7.191.162.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Wed, 17 Apr 2024 16:12:57 +0100 Received: from lhrpeml500005.china.huawei.com ([7.191.163.240]) by lhrpeml500005.china.huawei.com ([7.191.163.240]) with mapi id 15.01.2507.035; Wed, 17 Apr 2024 16:12:57 +0100 From: Shameerali Kolothum Thodi To: Nicolin Chen , "will@kernel.org" , "robin.murphy@arm.com" CC: "joro@8bytes.org" , "jgg@nvidia.com" , "thierry.reding@gmail.com" , "vdumpa@nvidia.com" , "jonathanh@nvidia.com" , "linux-kernel@vger.kernel.org" , "iommu@lists.linux.dev" , "linux-arm-kernel@lists.infradead.org" , "linux-tegra@vger.kernel.org" Subject: RE: [PATCH v5 6/6] iommu/tegra241-cmdqv: Limit CMDs for guest owned VINTF Thread-Topic: [PATCH v5 6/6] iommu/tegra241-cmdqv: Limit CMDs for guest owned VINTF Thread-Index: AQHajVULCff80FKHW06RtKfJgVx61rFsllJQ Date: Wed, 17 Apr 2024 15:12:57 +0000 Message-ID: <1d68c21591fa4f8497aea0e6a0afda8b@huawei.com> References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.202.227.28] MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240417_081309_297335_ECA63DD9 X-CRM114-Status: GOOD ( 30.55 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org > -----Original Message----- > From: Nicolin Chen > Sent: Saturday, April 13, 2024 4:44 AM > To: will@kernel.org; robin.murphy@arm.com > Cc: joro@8bytes.org; jgg@nvidia.com; thierry.reding@gmail.com; > vdumpa@nvidia.com; jonathanh@nvidia.com; linux-kernel@vger.kernel.org; > iommu@lists.linux.dev; linux-arm-kernel@lists.infradead.org; linux- > tegra@vger.kernel.org > Subject: [PATCH v5 6/6] iommu/tegra241-cmdqv: Limit CMDs for guest owned > VINTF > > When VCMDQs are assigned to a VINTF owned by a guest (HYP_OWN bit unset), > only TLB and ATC invalidation commands are supported by the VCMDQ HW. So, > add a new helper to scan the input cmds to make sure every single command > is supported when selecting a queue. > > Note that the guest VM shouldn't have HYP_OWN bit being set regardless of > guest kernel driver writing it or not, i.e. the hypervisor running in the > host OS should wire this bit to zero when trapping a write access to this > VINTF_CONFIG register from a guest kernel. Just curious, suppose there is a malicious guest with a compromised kernel which bypasses the HYP_OWN bit check and issues other commands, does the hardware has the capability to detect it and not make the host unstable in any way? Thanks, Shameer > > Signed-off-by: Nicolin Chen > --- > drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 7 +-- > drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h | 5 ++- > .../iommu/arm/arm-smmu-v3/tegra241-cmdqv.c | 43 ++++++++++++++++++- > 3 files changed, 49 insertions(+), 6 deletions(-) > > diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c > b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c > index ba7a933c1efb..9af6659ea488 100644 > --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c > +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c > @@ -352,10 +352,11 @@ static int arm_smmu_cmdq_build_cmd(u64 *cmd, > struct arm_smmu_cmdq_ent *ent) > return 0; > } > > -static struct arm_smmu_cmdq *arm_smmu_get_cmdq(struct > arm_smmu_device *smmu) > +static struct arm_smmu_cmdq *arm_smmu_get_cmdq(struct > arm_smmu_device *smmu, > + u64 *cmds, int n) > { > if (smmu->tegra241_cmdqv) > - return tegra241_cmdqv_get_cmdq(smmu); > + return tegra241_cmdqv_get_cmdq(smmu, cmds, n); > > return &smmu->cmdq; > } > @@ -765,7 +766,7 @@ static int arm_smmu_cmdq_issue_cmdlist(struct > arm_smmu_device *smmu, > u32 prod; > unsigned long flags; > bool owner; > - struct arm_smmu_cmdq *cmdq = arm_smmu_get_cmdq(smmu); > + struct arm_smmu_cmdq *cmdq = arm_smmu_get_cmdq(smmu, cmds, > n); > struct arm_smmu_ll_queue llq, head; > int ret = 0; > > diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h > b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h > index 5b8e463c28eb..fdc3d570cf43 100644 > --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h > +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.h > @@ -836,7 +836,8 @@ static inline void > arm_smmu_sva_remove_dev_pasid(struct iommu_domain *domain, > struct tegra241_cmdqv * > tegra241_cmdqv_acpi_probe(struct arm_smmu_device *smmu, int id); > int tegra241_cmdqv_device_reset(struct arm_smmu_device *smmu); > -struct arm_smmu_cmdq *tegra241_cmdqv_get_cmdq(struct > arm_smmu_device *smmu); > +struct arm_smmu_cmdq *tegra241_cmdqv_get_cmdq(struct > arm_smmu_device *smmu, > + u64 *cmds, int n); > #else /* CONFIG_TEGRA241_CMDQV */ > static inline struct tegra241_cmdqv * > tegra241_cmdqv_acpi_probe(struct arm_smmu_device *smmu, int id) > @@ -850,7 +851,7 @@ static inline int tegra241_cmdqv_device_reset(struct > arm_smmu_device *smmu) > } > > static inline struct arm_smmu_cmdq * > -tegra241_cmdqv_get_cmdq(struct arm_smmu_device *smmu) > +tegra241_cmdqv_get_cmdq(struct arm_smmu_device *smmu, u64 *cmds, int > n) > { > return NULL; > } > diff --git a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c > b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c > index 15683123a4ce..7aeaf810980c 100644 > --- a/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c > +++ b/drivers/iommu/arm/arm-smmu-v3/tegra241-cmdqv.c > @@ -262,6 +262,7 @@ struct tegra241_vcmdq { > * struct tegra241_vintf - Virtual Interface > * @idx: Global index in the CMDQV HW > * @enabled: Enabled or not > + * @hyp_own: Owned by hypervisor (in-kernel) > * @error: Status error or not > * @cmdqv: CMDQV HW pointer > * @vcmdqs: List of VCMDQ pointers > @@ -271,6 +272,7 @@ struct tegra241_vintf { > u16 idx; > > bool enabled; > + bool hyp_own; > atomic_t error; /* Race between interrupts and get_cmdq() */ > > struct tegra241_cmdqv *cmdqv; > @@ -369,7 +371,32 @@ static irqreturn_t tegra241_cmdqv_isr(int irq, void > *devid) > return IRQ_HANDLED; > } > > -struct arm_smmu_cmdq *tegra241_cmdqv_get_cmdq(struct > arm_smmu_device *smmu) > +static bool tegra241_vintf_support_cmds(struct tegra241_vintf *vintf, > + u64 *cmds, int n) > +{ > + int i; > + > + /* VINTF owned by hypervisor can execute any command */ > + if (vintf->hyp_own) > + return true; > + > + /* Guest-owned VINTF must Check against the list of supported CMDs > */ > + for (i = 0; i < n; i++) { > + switch (FIELD_GET(CMDQ_0_OP, cmds[i * > CMDQ_ENT_DWORDS])) { > + case CMDQ_OP_TLBI_NH_ASID: > + case CMDQ_OP_TLBI_NH_VA: > + case CMDQ_OP_ATC_INV: > + continue; > + default: > + return false; > + } > + } > + > + return true; > +} > + > +struct arm_smmu_cmdq *tegra241_cmdqv_get_cmdq(struct > arm_smmu_device *smmu, > + u64 *cmds, int n) > { > struct tegra241_cmdqv *cmdqv = smmu->tegra241_cmdqv; > struct tegra241_vintf *vintf = cmdqv->vintfs[0]; > @@ -386,6 +413,10 @@ struct arm_smmu_cmdq > *tegra241_cmdqv_get_cmdq(struct arm_smmu_device *smmu) > if (atomic_read(&vintf->error)) > return &smmu->cmdq; > > + /* Unsupported CMDs go for smmu->cmdq pathway */ > + if (!tegra241_vintf_support_cmds(vintf, cmds, n)) > + return &smmu->cmdq; > + > /* > * Select a vcmdq to use. Here we use a temporal solution to > * balance out traffic on cmdq issuing: each cmdq has its own > @@ -575,6 +606,11 @@ int tegra241_cmdqv_device_reset(struct > arm_smmu_device *smmu) > if (ret) > return ret; > > + /* > + * Note that HYP_OWN bit is wired to zero when running in guest kernel > + * regardless of enabling it here, as !HYP_OWN cmdqs have a restricted > + * set of supported commands, by following the HW design. > + */ > regval = FIELD_PREP(VINTF_HYP_OWN, 1); > vintf_writel(regval, CONFIG); > > @@ -582,6 +618,11 @@ int tegra241_cmdqv_device_reset(struct > arm_smmu_device *smmu) > if (ret) > return ret; > > + /* > + * As being mentioned above, HYP_OWN bit is wired to zero for a guest > + * kernel, so read it back from HW to ensure that reflects in hyp_own > + */ > + vintf->hyp_own = !!(VINTF_HYP_OWN & vintf_readl(CONFIG)); > vintf->enabled = !!(VINTF_ENABLED & vintf_readl(STATUS)); > atomic_set(&vintf->error, > !!FIELD_GET(VINTF_STATUS, vintf_readl(STATUS))); > -- > 2.43.0 > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel