From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 64DEFC433EF for ; Fri, 8 Jul 2022 13:08:57 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4LfYWW58Z5z3cdT for ; Fri, 8 Jul 2022 23:08:55 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ozlabs-ru.20210112.gappssmtp.com header.i=@ozlabs-ru.20210112.gappssmtp.com header.a=rsa-sha256 header.s=20210112 header.b=DEY/pPyi; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.ru (client-ip=2607:f8b0:4864:20::102d; helo=mail-pj1-x102d.google.com; envelope-from=aik@ozlabs.ru; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ozlabs-ru.20210112.gappssmtp.com header.i=@ozlabs-ru.20210112.gappssmtp.com header.a=rsa-sha256 header.s=20210112 header.b=DEY/pPyi; dkim-atps=neutral Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4LfYVn5dR0z3c1l for ; Fri, 8 Jul 2022 23:08:15 +1000 (AEST) Received: by mail-pj1-x102d.google.com with SMTP id w24so18026138pjg.5 for ; Fri, 08 Jul 2022 06:08:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ozlabs-ru.20210112.gappssmtp.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=YX0GXIRGwrdV+uldKViTwGHPwQS8yZ0tHe4j59MVvtQ=; b=DEY/pPyi+VWfsqX8uOHchEyZqQFLDtLlgTSiONJuZaYtrzz57fiBLgg2Z4yskRD6h0 pYWaY1twEgGSx+5C5E56IGfsebWU7wpOmLQ9C6T7q/W+EYj7KIHDewAaUS0gifxCQvxc Y4UhyYhWR7gOz4cQHI5iBCcLcidGpsnWvEm56UHEYBAegmcg5xcbxTlNCGfNtdSkNX2a x1YADMkRdHWk4zOGnZBzFyaPKEGgNTPGiT1zE7EwdCvgAPeOEIyi9xvJqGH3p1JuUcO1 nRzzwe366RKB+wQkYWBDQrZWFr0LtZGd/IgHyDfLiV7cEsfJ/zSWZW6lW0e7hlccWtFu PuDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=YX0GXIRGwrdV+uldKViTwGHPwQS8yZ0tHe4j59MVvtQ=; b=FRbFwuGuexSFsT8sZgtGj8OfmhehfKXSghW2wZQKHrjjB1Jdy33LPiCltl02h0TE3q 9b5BbpSpk7HxXQ8p792Vi9ZtrkrycMxWQ6yMTMXcepdh+WtbL6kf4XHG02TNVYXq7w2H w9MCCF59yHS6fnpqB7u8hzYa2BP831zV/ovyrrIesdkS8zbEOcloUucCJOlBx53bX6lL SPPuNk5z3DJYR9M/q8wmxkEqjs4yheXogEM5ZJLoXsB4ml6g/+Zm8PuOdJKbN7h/Uzjs 4SkXUUd9SJywQxqrzrgyDcHNXzF36qGkDCJwGImoa089VegcmYPAj/4mMJ201pJpDsp6 pQ7w== X-Gm-Message-State: AJIora8ObiwvSO/P+JFGElszTyyT9oG4iG35+vXiJFhw/yDeI+PXAStV WKYS5POvX7C4iQmaj2Bud/ysvA== X-Google-Smtp-Source: AGRyM1tIuwtgC87J64k+xqlvM6tTmdIe635uk72+ahanJtLXUEnXZxxc4ICJdBfra3AtS9Fz4aG8Pg== X-Received: by 2002:a17:902:ba8a:b0:16b:988f:9279 with SMTP id k10-20020a170902ba8a00b0016b988f9279mr3681225pls.114.1657285690543; Fri, 08 Jul 2022 06:08:10 -0700 (PDT) Received: from [192.168.10.153] (203-7-124-83.dyn.iinet.net.au. [203.7.124.83]) by smtp.gmail.com with ESMTPSA id y62-20020a626441000000b0050dc76281d3sm2755672pfb.173.2022.07.08.06.08.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 08 Jul 2022 06:08:09 -0700 (PDT) Message-ID: Date: Fri, 8 Jul 2022 23:10:07 +1000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.0 Subject: Re: [PATCH kernel] powerpc/iommu: Add iommu_ops to report capabilities and allow blocking domains Content-Language: en-US To: Jason Gunthorpe References: <20220707135552.3688927-1-aik@ozlabs.ru> <20220707151002.GB1705032@nvidia.com> <20220708115522.GD1705032@nvidia.com> From: Alexey Kardashevskiy In-Reply-To: <20220708115522.GD1705032@nvidia.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Joerg Roedel , kvm@vger.kernel.org, Fabiano Rosas , linuxppc-dev@lists.ozlabs.org, Daniel Henrique Barboza , Nicholas Piggin , Murilo Opsfelder Araujo , kvm-ppc@vger.kernel.org, Alex Williamson , Oliver O'Halloran , Joel Stanley , Robin Murphy Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On 08/07/2022 21:55, Jason Gunthorpe wrote: > On Fri, Jul 08, 2022 at 04:34:55PM +1000, Alexey Kardashevskiy wrote: > >> For now I'll add a comment in spapr_tce_iommu_attach_dev() that it is fine >> to do nothing as tce_iommu_take_ownership() and >> tce_iommu_take_ownership_ddw() take care of not having active DMA mappings. > > That will still cause a security problem because > tce_iommu_take_ownership()/etc are called too late. This is the moment > in the flow when the ownershift must change away from the DMA API that > power implements and to VFIO, not later. It is getting better and better :) On POWERNV, at the boot time the platforms sets up PHBs, enables bypass, creates groups and attaches devices. As for now attaching devices to the default domain (which is BLOCKED) fails the not-being-use check as enabled bypass means "everything is mapped for DMA". So at this point the default domain has to be IOMMU_DOMAIN_IDENTITY or IOMMU_DOMAIN_UNMANAGED so later on VFIO can move devices to IOMMU_DOMAIN_BLOCKED. Am I missing something? > > Jason -- Alexey