[RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[Joseph Cihula]

The tboot module will DMA protect all of memory in order to ensure the that
kernel will be able to initialize without compromise (from DMA).  Consequently,
the kernel must enable Intel(R) Virtualization Technology for Directed I/O
(VT-d or Intel IOMMU) in order to replace this broad protection with the
appropriate page-granular protection.  Otherwise DMA devices will be unable
to read or write from memory and the kernel will eventually panic.

Because runtime IOMMU support is configurable by command line options, this
patch will force it to be enabled regardless of the options specified, and will
log a message if it was required to force it on.


 dmar.c        |    7 +++++++
 intel-iommu.c |   17 +++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
Signed-off-by: Shane Wang <shane.wang@intel.com>

---

diff -uprN -X linus-2.6.git-0629/Documentation/dontdiff linus-2.6.git-0629/drivers/pci/dmar.c linus-2.6.git-0629-txt/drivers/pci/dmar.c
--- linus-2.6.git-0629/drivers/pci/dmar.c	2009-06-29 21:57:21.000000000 -0700
+++ linus-2.6.git-0629-txt/drivers/pci/dmar.c	2009-06-30 16:15:53.000000000 -0700
@@ -33,6 +33,7 @@
 #include <linux/timer.h>
 #include <linux/irq.h>
 #include <linux/interrupt.h>
+#include <asm/tboot.h>
 
 #undef PREFIX
 #define PREFIX "DMAR:"
@@ -413,6 +414,12 @@ parse_dmar_table(void)
 	 */
 	dmar_table_detect();
 
+	/*
+	 * ACPI tables may not be DMA protected by tboot, so use DMAR copy
+	 * SINIT saved in SinitMleData in TXT heap (which is DMA protected)
+	 */
+	dmar_tbl = tboot_get_dmar_table(dmar_tbl);
+
 	dmar = (struct acpi_table_dmar *)dmar_tbl;
 	if (!dmar)
 		return -ENODEV;
diff -uprN -X linus-2.6.git-0629/Documentation/dontdiff linus-2.6.git-0629/drivers/pci/intel-iommu.c linus-2.6.git-0629-txt/drivers/pci/intel-iommu.c
--- linus-2.6.git-0629/drivers/pci/intel-iommu.c	2009-06-29 21:57:21.000000000 -0700
+++ linus-2.6.git-0629-txt/drivers/pci/intel-iommu.c	2009-06-30 17:17:43.000000000 -0700
@@ -38,6 +38,7 @@
 #include <linux/intel-iommu.h>
 #include <linux/sysdev.h>
 #include <asm/cacheflush.h>
+#include <asm/tboot.h>
 #include <asm/iommu.h>
 #include "pci.h"
 
@@ -3113,12 +3114,22 @@ static int __init init_iommu_sysfs(void)
 int __init intel_iommu_init(void)
 {
 	int ret = 0;
+	int force_on = 0;
 
-	if (dmar_table_init())
+	/* VT-d is required for a TXT/tboot launch, so enforce that */
+	force_on = tboot_force_iommu();
+
+	if (dmar_table_init()) {
+		if (force_on)
+			panic("tboot: Failed to initialize DMAR table\n");
 		return 	-ENODEV;
+	}
 
-	if (dmar_dev_scope_init())
+	if (dmar_dev_scope_init()) {
+		if (force_on)
+			panic("tboot: Failed to initialize DMAR device scope\n");
 		return 	-ENODEV;
+	}
 
 	/*
 	 * Check the need for DMA-remapping initialization now.
@@ -3134,6 +3145,8 @@ int __init intel_iommu_init(void)
 
 	ret = init_dmars();
 	if (ret) {
+		if (force_on)
+			panic("tboot: Failed to initialize DMARs\n");
 		printk(KERN_ERR "IOMMU: dmar init failed\n");
 		put_iova_domain(&reserved_iova_list);
 		iommu_exit_mempool();

Re: [RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[Pavel Machek]

On Tue 2009-06-30 19:31:10, Joseph Cihula wrote:
> The tboot module will DMA protect all of memory in order to ensure the that
> kernel will be able to initialize without compromise (from DMA).  Consequently,
> the kernel must enable Intel(R) Virtualization Technology for Directed I/O
> (VT-d or Intel IOMMU) in order to replace this broad protection with the
> appropriate page-granular protection.  Otherwise DMA devices will be unable
> to read or write from memory and the kernel will eventually panic.
> 
> Because runtime IOMMU support is configurable by command line options, this
> patch will force it to be enabled regardless of the options specified, and will
> log a message if it was required to force it on.
> 
> 
>  dmar.c        |    7 +++++++
>  intel-iommu.c |   17 +++++++++++++++--
>  2 files changed, 22 insertions(+), 2 deletions(-)
> 
> Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
> Signed-off-by: Shane Wang <shane.wang@intel.com>

NAK. Breaks user expectations, misses  docs updates. 

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Re: [RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[Ingo Molnar]

* Pavel Machek <pavel@ucw.cz> wrote:

> 
> On Tue 2009-06-30 19:31:10, Joseph Cihula wrote:
> > The tboot module will DMA protect all of memory in order to ensure the that
> > kernel will be able to initialize without compromise (from DMA).  Consequently,
> > the kernel must enable Intel(R) Virtualization Technology for Directed I/O
> > (VT-d or Intel IOMMU) in order to replace this broad protection with the
> > appropriate page-granular protection.  Otherwise DMA devices will be unable
> > to read or write from memory and the kernel will eventually panic.
> > 
> > Because runtime IOMMU support is configurable by command line options, this
> > patch will force it to be enabled regardless of the options specified, and will
> > log a message if it was required to force it on.
> > 
> > 
> >  dmar.c        |    7 +++++++
> >  intel-iommu.c |   17 +++++++++++++++--
> >  2 files changed, 22 insertions(+), 2 deletions(-)
> > 
> > Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
> > Signed-off-by: Shane Wang <shane.wang@intel.com>
> 
> NAK. Breaks user expectations, misses  docs updates. 

What's your proposed solution? If an incompatible IOMMU option is 
specified should the kernel to disable TXT and panic?

	Ingo

Re: [RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[Pavel Machek]

On Fri 2009-07-03 10:21:11, Ingo Molnar wrote:
> 
> * Pavel Machek <pavel@ucw.cz> wrote:
> 
> > 
> > On Tue 2009-06-30 19:31:10, Joseph Cihula wrote:
> > > The tboot module will DMA protect all of memory in order to ensure the that
> > > kernel will be able to initialize without compromise (from DMA).  Consequently,
> > > the kernel must enable Intel(R) Virtualization Technology for Directed I/O
> > > (VT-d or Intel IOMMU) in order to replace this broad protection with the
> > > appropriate page-granular protection.  Otherwise DMA devices will be unable
> > > to read or write from memory and the kernel will eventually panic.
> > > 
> > > Because runtime IOMMU support is configurable by command line options, this
> > > patch will force it to be enabled regardless of the options specified, and will
> > > log a message if it was required to force it on.
> > > 
> > > 
> > >  dmar.c        |    7 +++++++
> > >  intel-iommu.c |   17 +++++++++++++++--
> > >  2 files changed, 22 insertions(+), 2 deletions(-)
> > > 
> > > Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
> > > Signed-off-by: Shane Wang <shane.wang@intel.com>
> > 
> > NAK. Breaks user expectations, misses  docs updates. 
> 
> What's your proposed solution? If an incompatible IOMMU option is 
> specified should the kernel to disable TXT and panic?

Yes.

...and whether we decide one way or another, it needs to be documented.a

											Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Re: [RFC v6][PATCH 4/4] intel_txt: force IOMMU on for Intel(R) TXT launch

[Ingo Molnar]

* Pavel Machek <pavel@ucw.cz> wrote:

> On Fri 2009-07-03 10:21:11, Ingo Molnar wrote:
> > 
> > * Pavel Machek <pavel@ucw.cz> wrote:
> > 
> > > 
> > > On Tue 2009-06-30 19:31:10, Joseph Cihula wrote:
> > > > The tboot module will DMA protect all of memory in order to ensure the that
> > > > kernel will be able to initialize without compromise (from DMA).  Consequently,
> > > > the kernel must enable Intel(R) Virtualization Technology for Directed I/O
> > > > (VT-d or Intel IOMMU) in order to replace this broad protection with the
> > > > appropriate page-granular protection.  Otherwise DMA devices will be unable
> > > > to read or write from memory and the kernel will eventually panic.
> > > > 
> > > > Because runtime IOMMU support is configurable by command line options, this
> > > > patch will force it to be enabled regardless of the options specified, and will
> > > > log a message if it was required to force it on.
> > > > 
> > > > 
> > > >  dmar.c        |    7 +++++++
> > > >  intel-iommu.c |   17 +++++++++++++++--
> > > >  2 files changed, 22 insertions(+), 2 deletions(-)
> > > > 
> > > > Signed-off-by: Joseph Cihula <joseph.cihula@intel.com>
> > > > Signed-off-by: Shane Wang <shane.wang@intel.com>
> > > 
> > > NAK. Breaks user expectations, misses docs updates.
> > 
> > What's your proposed solution? If an incompatible IOMMU option 
> > is specified should the kernel to disable TXT and panic?
> 
> Yes.
> 
> ...and whether we decide one way or another, it needs to be 
> documented.a

But the user already specified another thing as well: that we should 
boot with TXT.

So we have conflicting user options. Wouldnt it be the proper 
engineering solution to print a warning about the incompatible IOMMU 
option and disable it, but not crash the bootup? We generally prefer 
to boot up.

Anyway, this is a small detail clearly.

	Ingo