From: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
To: Mostafa Saleh <smostafa@google.com>, Jason Gunthorpe <jgg@ziepe.ca>
Cc: iommu@lists.linux.dev, linux-kernel@vger.kernel.org,
robin.murphy@arm.com, m.szyprowski@samsung.com, will@kernel.org,
maz@kernel.org, suzuki.poulose@arm.com, catalin.marinas@arm.com,
jiri@resnulli.us
Subject: Re: [RFC PATCH v2 1/5] dma-mapping: Avoid double decrypting with DMA_RESTRICTED_POOL
Date: Mon, 13 Apr 2026 11:30:38 +0530 [thread overview]
Message-ID: <yq5aeckjbdrt.fsf@kernel.org> (raw)
In-Reply-To: <acrgYotBExJhEJkK@google.com>
Mostafa Saleh <smostafa@google.com> writes:
> On Mon, Mar 30, 2026 at 12:06:54PM -0300, Jason Gunthorpe wrote:
>> On Mon, Mar 30, 2026 at 02:50:39PM +0000, Mostafa Saleh wrote:
>> > In case a device have a restricted DMA pool, it will be decrypted
>> > by default.
>> >
>> > However, in the path of dma_direct_alloc() memory can be allocated
>> > from this pool using, __dma_direct_alloc_pages() =>
>> > dma_direct_alloc_swiotlb()
>> >
>> > After that from the same function, it will attempt to decrypt it
>> > using dma_set_decrypted() if force_dma_unencrypted().
>> >
>> > Which results in the memory being decrypted twice.
>> >
>> > It's not clear how the does realm world/hypervisors deal with that,
>> > for example:
>> > - CCA: Clear a bit in the page table and call realm IPA_STATE_SET.
>> > - TDX: Issue a hypercall.
>> > - pKVM: Which doesn't implement force_dma_unencrypted() at the moment,
>> > uses a share hypercall.
>> >
>> > Change that to only encrypt/decrypt memory that are not allocated
>> > from the restricted dma pools.
>> >
>> > Fixes: f4111e39a52a ("swiotlb: Add restricted DMA alloc/free support")
>> > Signed-off-by: Mostafa Saleh <smostafa@google.com>
>> > ---
>> > kernel/dma/direct.c | 4 ++--
>> > 1 file changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
>> > index 8f43a930716d..27d804f0473f 100644
>> > --- a/kernel/dma/direct.c
>> > +++ b/kernel/dma/direct.c
>> > @@ -79,7 +79,7 @@ bool dma_coherent_ok(struct device *dev, phys_addr_t phys, size_t size)
>> >
>> > static int dma_set_decrypted(struct device *dev, void *vaddr, size_t size)
>> > {
>> > - if (!force_dma_unencrypted(dev))
>> > + if (!force_dma_unencrypted(dev) || is_swiotlb_for_alloc(dev))
>> > return 0;
>>
>> This seems really obtuse, I would expect the decryption state of the
>> memory to be known by the caller. If dma_direct_alloc_swiotlb() can
>> return decrypted or encrypted memory it needs to return a flag saying
>> that. It shouldn't be deduced by checking dev flags in random places
>> like this.
>
> At the moment restricted dma is always decrypted, also it’s per device
> so we don’t have to check this per allocation.
> I can change the signature for __dma_direct_alloc_pages() to make it
> return an extra flag but that feels more complicated as it changes
> dma_direct_alloc_swiotlb() , swiotlb_alloc() with its callers.
>
> I can investigate this approach further.
>
I know there is a v3, but I’m commenting here to check whether we really
need to do this now. In my opinion, we can keep this much simpler by
treating all swiotlb allocations as decrypted allocations. We also need
this to simplify the IPA change alignment updates I posted
https://lore.kernel.org/all/20260309102625.2315725-2-aneesh.kumar@kernel.org
-aneesh
next prev parent reply other threads:[~2026-04-13 6:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 14:50 [RFC PATCH v2 0/5] dma-mapping: Fixes for memory encryption Mostafa Saleh
2026-03-30 14:50 ` [RFC PATCH v2 1/5] dma-mapping: Avoid double decrypting with DMA_RESTRICTED_POOL Mostafa Saleh
2026-03-30 15:06 ` Jason Gunthorpe
2026-03-30 20:43 ` Mostafa Saleh
2026-03-31 11:34 ` Suzuki K Poulose
2026-03-31 12:50 ` Mostafa Saleh
2026-04-13 6:00 ` Aneesh Kumar K.V [this message]
2026-04-13 12:35 ` Jason Gunthorpe
2026-03-30 14:50 ` [RFC PATCH v2 2/5] dma-mapping: Use the correct phys_to_dma() for DMA_RESTRICTED_POOL Mostafa Saleh
2026-03-30 15:09 ` Jason Gunthorpe
2026-03-30 20:47 ` Mostafa Saleh
2026-03-30 22:28 ` Jason Gunthorpe
2026-04-13 6:08 ` Aneesh Kumar K.V
2026-03-30 14:50 ` [RFC PATCH v2 3/5] dma-mapping: Decrypt memory on remap Mostafa Saleh
2026-03-30 15:19 ` Jason Gunthorpe
2026-03-30 20:49 ` Mostafa Saleh
2026-03-30 22:30 ` Jason Gunthorpe
2026-04-13 6:23 ` Aneesh Kumar K.V
2026-03-30 14:50 ` [RFC PATCH v2 4/5] dma-mapping: Refactor memory encryption usage Mostafa Saleh
2026-03-30 15:27 ` Jason Gunthorpe
2026-03-30 14:50 ` [RFC PATCH v2 5/5] dma-mapping: Add doc for memory encryption Mostafa Saleh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq5aeckjbdrt.fsf@kernel.org \
--to=aneesh.kumar@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=maz@kernel.org \
--cc=robin.murphy@arm.com \
--cc=smostafa@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox