From: Robin Murphy <robin.murphy@arm.com>
To: Jason Gunthorpe <jgg@ziepe.ca>, Joonwon Kang <joonwonkang@google.com>
Cc: Alexander.Grest@microsoft.com, amhetre@nvidia.com,
baolu.lu@linux.intel.com, easwar.hariharan@linux.microsoft.com,
iommu@lists.linux.dev, jacob.jun.pan@linux.intel.com,
joro@8bytes.org, jpb@kernel.org, kees@kernel.org,
kevin.tian@intel.com, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, nicolinc@nvidia.com,
praan@google.com, smostafa@google.com, will@kernel.org
Subject: Re: [PATCH RFC] iommu: Enable per-device SSID space for SVA
Date: Tue, 12 May 2026 14:53:49 +0100 [thread overview]
Message-ID: <b95b42c6-4d10-4701-88e2-9991f3773e6a@arm.com> (raw)
In-Reply-To: <20260512124015.GU9285@ziepe.ca>
On 12/05/2026 1:40 pm, Jason Gunthorpe wrote:
> On Tue, May 12, 2026 at 09:57:14AM +0000, Joonwon Kang wrote:
>>> There is a bit more going on though, I think that is what Joonwon is
>>> mentioning by asking about ST64B and ST64BV. I *think* the answer is:
>>>
>>> - ST64B uses a posted write
>>> - ST64BV can be restricted so EL0 cannot execute it, it uses a
>>> non-posted write (AI tells me via EnASR)
>>> - ST64BV0 can be used by EL0, always uses a non-posted write, and always
>>> uses ACCDATA_EL1
>>>
>>> Which is similar to Intel.
>>
>> Ah, I missed that ST64BV is currently being trapped to EL1 while ST64B is
>> not [1]. However, I am not sure if the trap is to disallow EL0 to use it.
>> Can it be instead to pass the response value of the non-posted write to
>> EL0 while using the EL0-given PASID as-is? If so, I believe EL0 still can
>> specify arbitrary PASID as it wants via ST64BV.
>
> I think if an OS implements things this way it is would security
> broken as far as ENQCMD compatible HW goes.
Yes, I think it's rather the point that the EnALS/EnASR traps to EL1
allow EL1 to sanitise the data that ST64B/ST64BV are sending, and do
exactly things like substituting a valid PASID. ST64BV0 offers a way of
doing so _without_ needing the overhead of trapping, but conversely that
needs the EnAS0 opt-in all the way down to indicate both EL1's awareness
of programming ACCDATA_EL1 appropriately and EL2/3's awareness of
context-switching it.
I've not looked closely at what exactly the arm64 arch code is doing
today and how well it actually fits the expected ENQCMD usage model, but
I can well believe it might need a bit of tweaking.
Thanks,
Robin.
>> Since I guess ST64B* instructions are to serve generic purposes not only
>> for communication with accelerators with SIOV but also with any memory
>> location or device without SIOV, I am not sure if it is always okay to
>> make those instructions work the way Jason mentioned.
>
> The end point has to use the posted vs non-posted write distinction
> for security.
>
>>> The device only processes the PASID from a non-posted write,
>>
>> Regarding ST64B, are the ARM devices behind ARM SMMU v3 supposed to work
>> this way too? If not, EL0 can specify arbitrary PASID via ST64B with the
>> kernel today [1].
>
> If you want ENQCMD compatible semantics then yes you have to do all of
> these things, it is part of the security design.
>
> Jason
next prev parent reply other threads:[~2026-05-12 13:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 8:53 [PATCH RFC] iommu: Enable per-device SSID space for SVA Joonwon Kang
2026-04-24 13:39 ` Jason Gunthorpe
2026-05-07 8:15 ` Tian, Kevin
2026-05-09 17:03 ` Jason Gunthorpe
2026-05-07 9:58 ` Joonwon Kang
2026-05-09 17:10 ` Jason Gunthorpe
2026-05-11 12:39 ` Robin Murphy
2026-05-11 13:21 ` Jason Gunthorpe
2026-05-12 9:57 ` Joonwon Kang
2026-05-12 12:40 ` Jason Gunthorpe
2026-05-12 13:53 ` Robin Murphy [this message]
2026-05-12 14:51 ` Joonwon Kang
2026-05-12 15:11 ` Jason Gunthorpe
2026-05-12 10:07 ` Joonwon Kang
2026-04-28 17:38 ` Easwar Hariharan
2026-04-28 17:44 ` Jason Gunthorpe
-- strict thread matches above, loose matches on Subject: below --
2026-04-24 8:50 Joonwon Kang
2026-04-24 8:57 ` Joonwon Kang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b95b42c6-4d10-4701-88e2-9991f3773e6a@arm.com \
--to=robin.murphy@arm.com \
--cc=Alexander.Grest@microsoft.com \
--cc=amhetre@nvidia.com \
--cc=baolu.lu@linux.intel.com \
--cc=easwar.hariharan@linux.microsoft.com \
--cc=iommu@lists.linux.dev \
--cc=jacob.jun.pan@linux.intel.com \
--cc=jgg@ziepe.ca \
--cc=joonwonkang@google.com \
--cc=joro@8bytes.org \
--cc=jpb@kernel.org \
--cc=kees@kernel.org \
--cc=kevin.tian@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=praan@google.com \
--cc=smostafa@google.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox