Re: [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

From: Nicolin Chen <nicolinc@nvidia.com>
To: Will Deacon <will@kernel.org>, Jason Gunthorpe <jgg@nvidia.com>
Cc: <robin.murphy@arm.com>, <joro@8bytes.org>,
	<linux-arm-kernel@lists.infradead.org>, <iommu@lists.linux.dev>,
	<linux-kernel@vger.kernel.org>, <skolothumtho@nvidia.com>,
	<praan@google.com>, <xueshuai@linux.alibaba.com>,
	<smostafa@google.com>
Subject: Re: [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence
Date: Tue, 13 Jan 2026 12:29:11 -0800	[thread overview]
Message-ID: <aWarF90zBqxD0Gef@Asurada-Nvidia> (raw)
In-Reply-To: <20260113161253.GG812923@nvidia.com>

On Tue, Jan 13, 2026 at 12:12:53PM -0400, Jason Gunthorpe wrote:
> On Tue, Jan 13, 2026 at 03:05:52PM +0000, Will Deacon wrote:
> > I suppose we shouldn't ever see the case that they both have S2S, but
> > that's fine.
> 
> If they both have S2S then it works correctly? Any S2S forces EATS to
> follow the normal rules.
> 
> > The spec also suggests that there's an additional illegal STE case w/
> > split-stage ATS (EATS_S1CHK) if Config != S1+S2.
> 
> The driver doesn't support that either..
> 
> It is fixed by checking if new EATS is valid under old config and old
> EATS valid under new config.
> 
> Also to support S1CHK someday we cannot allow the hypervisor to leave
> S1_S2 and go to S2, since the HW can't deal with that...

Perhaps the safe bits should only have EATS_TRANS, excluding S1CHK:

--------------------------------------------------------------------------
+        * When an STE changes EATS_TRANS, the sequencing code in the attach
+        * logic already will have the PCI cap for ATS disabled. Thus at this
+        * moment we can expect that the device will not generate ATS queries
+        * and so we don't care about the sequencing of EATS. The purpose of
+        * EATS_TRANS is to protect the system from hostile untrusted devices
+        * that issue ATS when the PCI config space is disabled. However, if
+        * EATS_TRANS is being changed, then we must have already trusted the
+        * device as the EATS_TRANS security block is being disabled.
+        *
+        *  Note: now the EATS_TRANS update is moved to the first entry_set().
+        *  Changing S2S and EATS might transiently result in S2S=1 and EATS=1
+        *  which is a bad STE (see "5.2 Stream Table Entry"). In such a case,
+        *  we can't do a hitless update. Also, STRTAB_STE_1_EATS_S1CHK should
+        *  not be added to the safe bits because it relies on CFG[2:0]=0b111,
+        *  to prevent another bad STE.
         */
-       safe_bits[1] |= cpu_to_le64(STRTAB_STE_1_EATS);
+       if (!((cur[2] | target[2]) & cpu_to_le64(STRTAB_STE_2_S2S)))
+               safe_bits[1] |= cpu_to_le64(
+                       FIELD_PREP(STRTAB_STE_1_EATS, STRTAB_STE_1_EATS_TRANS));
--------------------------------------------------------------------------

@will, does this look good to you? I can send a v7 with this.

Thanks
Nicolin

next prev parent reply	other threads:[~2026-01-13 20:29 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-18 21:41 [PATCH rc v5 0/4] iommu/arm-smmu-v3: Fix hitless STE update in nesting cases Nicolin Chen
2025-12-18 21:41 ` [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence Nicolin Chen
2026-01-02 18:26   ` Mostafa Saleh
2026-01-07 21:20   ` Will Deacon
2026-01-08  0:36     ` Jason Gunthorpe
2026-01-12 15:53       ` Will Deacon
2026-01-12 16:10         ` Jason Gunthorpe
2026-01-12 18:58           ` Nicolin Chen
2026-01-13 15:05             ` Will Deacon
2026-01-13 16:12               ` Jason Gunthorpe
2026-01-13 20:29                 ` Nicolin Chen [this message]
2026-01-13 20:51                   ` Jason Gunthorpe
2026-01-15 13:11                     ` Jason Gunthorpe
2026-01-15 16:25                       ` Nicolin Chen
2026-01-15 16:29                         ` Jason Gunthorpe
2026-01-15 16:34                           ` Nicolin Chen
2026-01-15 17:39                             ` Will Deacon
2025-12-18 21:41 ` [PATCH rc v5 2/4] iommu/arm-smmu-v3: Mark STE MEV safe when computing the " Nicolin Chen
2026-01-02 18:27   ` Mostafa Saleh
2025-12-18 21:41 ` [PATCH rc v5 3/4] iommu/arm-smmu-v3: Mark STE EATS " Nicolin Chen
2025-12-18 21:41 ` [PATCH rc v5 4/4] iommu/arm-smmu-v3-test: Add nested s1bypass/s1dssbypass coverage Nicolin Chen
2026-01-02 18:27   ` Mostafa Saleh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aWarF90zBqxD0Gef@Asurada-Nvidia \
    --to=nicolinc@nvidia.com \
    --cc=iommu@lists.linux.dev \
    --cc=jgg@nvidia.com \
    --cc=joro@8bytes.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=praan@google.com \
    --cc=robin.murphy@arm.com \
    --cc=skolothumtho@nvidia.com \
    --cc=smostafa@google.com \
    --cc=will@kernel.org \
    --cc=xueshuai@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox