From: sashiko-bot@kernel.org
To: "Dan Williams" <djbw@kernel.org>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY
Date: Sun, 05 Jul 2026 22:25:03 +0000 [thread overview]
Message-ID: <20260705222503.B3F791F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260705220819.2472765-10-djbw@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] Global device trust default is bypassed for non-PCI devices during IOMMU initialization because `device_initialize_trust()` fails to initialize `bus_trust`.
- [High] Driver binding overwrites `dev->bus_trust`, disabling dynamic IOMMU DMA protections and breaking PCI trust inheritance for downstream devices.
- [Low] Missing `#else` stub for `device_untrusted()` causes compilation errors when `CONFIG_DEVICE_TRUST` is disabled.
- [Low] `enum device_trust` is used as a value type in `struct device`, but it is neither defined nor forward-declared in `<linux/device.h>`.
--
commit e078ccf16f66fc647e7473fedd70781ac6e8fd5d
Author: Dan Williams <djbw@kernel.org>
PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY
This commit elevates the PCI "untrusted" concept to a core device trust
level called DEVICE_TRUST_ADVERSARY. It adds a new bus_trust field to
struct device and uses it to manage trust states before device_add(),
syncing it to the private device trust structure afterwards. It updates
IOMMU and PCI subsystems to use the generic device_untrusted() interface.
> diff --git a/drivers/base/trust.c b/drivers/base/trust.c
> index 0fd494e1557dc..8efbe5c512501 100644
> --- a/drivers/base/trust.c
> +++ b/drivers/base/trust.c
> @@ -6,15 +6,28 @@
> #include <linux/module.h>
> #include "base.h"
>
> +/* If the bus did not initialize trust, set a default */
> void device_initialize_trust(struct device *dev)
> {
> + dev->p->trust = dev->bus_trust;
> if (dev->p->trust == DEVICE_TRUST_UNSET)
> dev->p->trust = DEVICE_DEFAULT_TRUST;
> }
[Severity: High]
Does this bypass the global trust default for non-PCI devices?
The fallback logic updates dev->p->trust to DEVICE_DEFAULT_TRUST but leaves
dev->bus_trust as DEVICE_TRUST_UNSET (0). Since device_untrusted() strictly
evaluates dev->bus_trust, does this leave the trust uninitialized?
Furthermore, IOMMU probes devices via BUS_NOTIFY_ADD_DEVICE in device_add()
before device_initialize_trust() is called. Is bus_trust always 0 during
IOMMU probing for these non-PCI devices, disabling protections like SWIOTLB
bounce buffering?
[ ... ]
> @@ -30,18 +43,23 @@ static enum device_trust driver_trust(struct module *mod)
> * policy on trusting devices it attaches, update the device's trust
> * level from that policy. Trust privileges beyond driver bind are
> * realized in a bus's ->dma_configure().
> + *
> + * Reflect the operational trust level back to the public indicator.
> */
> bool device_trust_bind(const struct device_driver *drv, struct device *dev)
> {
> enum device_trust drv_trust = driver_trust(drv->owner);
>
> - if (drv_trust != DEVICE_TRUST_UNSET)
> + if (drv_trust != DEVICE_TRUST_UNSET) {
> dev->p->trust = drv_trust;
> + dev->bus_trust = drv_trust;
> + }
> return dev->p->trust > DEVICE_TRUST_NONE;
> }
[Severity: High]
Does overwriting dev->bus_trust with the driver's software trust level disable
dynamic IOMMU DMA protections?
When device_untrusted() evaluates dev->bus_trust after binding, it will
transition to false. Will this silently disable protections like SWIOTLB
bounce buffering in dev_use_swiotlb() for active untrusted devices?
Also, if an untrusted parent bridge (e.g., a Thunderbolt port) binds to the
pcieport driver, its bus_trust becomes AUTO. Will hot-plugged downstream
devices fail to inherit the untrusted state because pci_untrusted(parent)
evaluates to false in set_pcie_untrusted()?
[ ... ]
> diff --git a/include/linux/device.h b/include/linux/device.h
> index 7b2baffdd2f55..3e203d573a580 100644
> --- a/include/linux/device.h
> +++ b/include/linux/device.h
> @@ -791,6 +793,7 @@ struct device {
> struct device_physical_location *physical_location;
>
> enum device_removable removable;
> + enum device_trust bus_trust;
>
> DECLARE_BITMAP(flags, DEV_FLAG_COUNT);
> };
[Severity: Low]
Is enum device_trust an incomplete type here?
Since <linux/device/trust.h> is not included in <linux/device.h>, does using
it as a value-type field cause a compilation error in files that don't include
<linux/device/trust.h> manually?
[ ... ]
> diff --git a/include/linux/device/trust.h b/include/linux/device/trust.h
> index 3377d26dc485d..283d3196e5e69 100644
> --- a/include/linux/device/trust.h
> +++ b/include/linux/device/trust.h
[ ... ]
> #ifdef CONFIG_DEVICE_TRUST
> +bool device_untrusted(struct device *dev);
> void module_driver_trust(struct module *mod, const char *val);
> -void module_driver_trust_init(struct module *mod, bool distrust);
> +void module_driver_trust_init(struct module *mod, bool require_trust);
> #else
> static inline void module_driver_trust(struct module *mod, const char *val)
> {
> pr_warn("module: %s: trust= support disabled\n", mod->name);
> }
> -static inline void module_driver_trust_init(struct module *mod, bool distrust)
> +static inline void module_driver_trust_init(struct module *mod, bool require_trust)
> {
> }
> #endif
[Severity: Low]
Does this missing #else stub for device_untrusted() cause build failures?
Since CONFIG_DEVICE_TRUST is selected by PCI, configuring a kernel without PCI
but with IOMMU DMA support leaves device_untrusted() implicitly declared in
core IOMMU code like dev_use_swiotlb(). Should there be a fallback inline
function here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705220819.2472765-1-djbw@kernel.org?part=9
next prev parent reply other threads:[~2026-07-05 22:25 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 22:08 [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Dan Williams
2026-07-05 22:08 ` [PATCH 01/15] netlink: specs: Introduce multi-message blobs for SPDM Dan Williams
2026-07-05 22:13 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 02/15] tools: ynl: Teach pyynl to handle blobs Dan Williams
2026-07-05 22:18 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 03/15] tools: ynl: Teach ynl_gen_c to validate and dump 'blob' attributes Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 04/15] device core: Introduce "device evidence" over netlink Dan Williams
2026-07-05 22:20 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 05/15] device core: Add "device evidence" 'validate' command Dan Williams
2026-07-05 22:26 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 06/15] PCI/TSM: Add device evidence support Dan Williams
2026-07-05 22:16 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 07/15] modules: Document the global async_probe parameter Dan Williams
2026-07-05 22:15 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 08/15] device core: Initial device trust infrastructure Dan Williams
2026-07-05 22:17 ` sashiko-bot
2026-07-06 13:45 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 09/15] PCI, device core: Move "untrusted" concept to DEVICE_TRUST_ADVERSARY Dan Williams
2026-07-05 22:25 ` sashiko-bot [this message]
2026-07-06 13:49 ` Jason Gunthorpe
2026-07-05 22:08 ` [PATCH 10/15] PCI/TSM: Add device interface security LOCKED support Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 11/15] PCI/TSM: Add device interface security RUN support Dan Williams
2026-07-05 22:21 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 12/15] PCI/TSM: Add device interface security DMA enable/disable Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 13/15] PCI, device core: Add private memory access for DEVICE_TRUST_TCB Dan Williams
2026-07-05 22:28 ` sashiko-bot
2026-07-06 12:42 ` Aneesh Kumar K.V
2026-07-05 22:08 ` [PATCH 14/15] PCI/TSM: Create MMIO descriptors via TDISP Report Dan Williams
2026-07-05 22:24 ` sashiko-bot
2026-07-05 22:08 ` [PATCH 15/15] PCI/TSM: Add relative MMIO offset support? Dan Williams
2026-07-05 22:25 ` sashiko-bot
2026-07-06 12:51 ` [PATCH 00/15] Device Evidence and Trust for PCI Security Protocol (TDISP) Jason Gunthorpe
2026-07-06 20:55 ` Dan Williams (nvidia)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705222503.B3F791F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=djbw@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox