From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81029373C1E for ; Mon, 30 Mar 2026 20:43:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774903402; cv=none; b=GJ5tEPhfx2iwLyG7r7s0nTOx9xabnstGGlC1CmHyC2pD3J9n7mo2kPShpztFI78WpbKTswME6uj4yuZjOLE9o8RzvOEbSwpd/qVRt5ZENSr+0fzczZgDByn8R0C4uK7R04dQetuTL5mJMxyx4rJcT1v2z58Rds6bthVrtlfu7AM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774903402; c=relaxed/simple; bh=j1DH9+4DKc3WNPzE9spva4DKtqqPXG1KHbtj05J2lOU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jzHdO7tO2oaiq/BD0c26VbwN4GCOeLwMPg9Z3YHYZoUz6OjMoDtQjsKHraMKXuD/7fDM6Z6W0r7L9Y2FZbcMVEKrm9hdwEMnNZiXtIk7/kGBBQWfqkMueETwJ0Mf85iHMHxPUUGp9/Byv+kmq6Q5j15BRAyFL7VwHN+y4IQ88Os= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vPtykqrb; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vPtykqrb" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-485317b6bd0so7335e9.1 for ; Mon, 30 Mar 2026 13:43:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1774903399; x=1775508199; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=K266JrUFCYcLzRBq6imblWcGN9WBD0YfXv5+zsA8i54=; b=vPtykqrbKFX4g8LEb3Pjji7N4n/RuF8LbW6Ail6gNu9PlyXenU4droBrzb5fq3awX6 XIbvgZApa0htai8bdMNKmlBVqp8dCF4oEPKlwUOPlTrNz1NYA2PUYo9UwIzbADtmbJLx dBnRSjXu46zEWdjwA4+jZkfaeYjGVTv0Wq30C6LZJJtxWbKja4MVqvj85+ibyN4Zi8Tn AwIUMuqL+auasedr986igpmMRL0aCQnrhObJu4EpV+9B6Ih9vKIoyT/Lcc8Ogx1ufPid tuag1Froelv1YvyUqXY7q8fCPfGbI7prOTBATeCOuQLAoFbTdFQt8aFtIhF8z2cL9fF2 Thdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774903399; x=1775508199; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=K266JrUFCYcLzRBq6imblWcGN9WBD0YfXv5+zsA8i54=; b=cW5g4gP09r5XzHSGGXT7fNrgIU9gVhqySUY2MApninhkK9Olz15A8T+o58rkTw92sK nPy4yLha+UM/jn5IN0PHSxhftqC0Mllzi9wDkPU3xHsY97BOOZVDt0l3mbeYvHCvHt9o kwhjfmiRsr9LrpNmA83Z7gt64o5vRxJL4of53QGs+7ujq99FwJk+eaALC0KMsMMUacsX cxdI/KSCH99dYU4QqWwwPlcQDK3GYYbFHGJH+HjDEsgaOViNc2ON5dkILJTMS4n5USyV pEb+g0nT1n0Wubv1Ui3gsEE4Il9x0fnIyO8jeX16hXtj6qtc4A8PTJ6w4XG8+5Za/ojX VwSg== X-Forwarded-Encrypted: i=1; AJvYcCWvwp9R4z7vEAlkX8lBXY+mZWk5tofPGGP+D7ScIzTRwUDBGbXVH9xEKdg1LAl8pccOAaJUfSwzzcaesXs=@vger.kernel.org X-Gm-Message-State: AOJu0YxQiQlh9SOOG1ovoN6EaZnhRdswm3eafwjOcMwYH7dPXzPKtnZb 6/NAferuXFyUXEMYYSO/CgyR2RGGRdEjjru57747fdsCpojzmKix5vC3qRHYo3avBQ== X-Gm-Gg: ATEYQzwKIQrVKHBKoO46XyWUhBEWoXk6XBbwAxCL0P9pSkp8DAziA6xlPkdiCLtWc3l Wyja6ubucUvOAsCQgcPjdZusYCz30P0XYi4tiSW111yEaU8j/LVmgTSSMSajLqyTwbUjqcLyx/F 3XBWeMjCVs7OX6gehQxHpbR/1HId0wwE6vTSDSjDcrUlpoNJv6Kt7RzcIMcvoBQVQ9yvAbnidM1 Xcvpyne3dTiJHBRHkAw+iibVY6yIPbQ8rZnqwr/7lRSOa9vuVGYmA18I5cywllk6ZWYszW/jWUs O1BqaoCgvUcHc0/PnzkZHEbavAZEP4pis4C1HViBQLP2S0kg1ZHZsb4gigC+7j/ivSghnG3d9zm oqu+t13SN4bRi1BOueujrVKnjtokFK8eZwm7zAPzeUFSPyI5fYgWTy0A2Bqj/U9RSD697Xj0OR3 YKOR0WgCOdcEaQzSUzIN4ucYv1bHmyuGYFRHgMeyvvhoCuE1Jmm4T4N3Qm X-Received: by 2002:a05:600c:6a94:b0:485:4133:4021 with SMTP id 5b1f17b1804b1-4887b30da7dmr28865e9.7.1774903398437; Mon, 30 Mar 2026 13:43:18 -0700 (PDT) Received: from google.com (8.181.38.34.bc.googleusercontent.com. [34.38.181.8]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43cf257cbc3sm21530567f8f.35.2026.03.30.13.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 30 Mar 2026 13:43:17 -0700 (PDT) Date: Mon, 30 Mar 2026 20:43:14 +0000 From: Mostafa Saleh To: Jason Gunthorpe Cc: iommu@lists.linux.dev, linux-kernel@vger.kernel.org, robin.murphy@arm.com, m.szyprowski@samsung.com, will@kernel.org, maz@kernel.org, suzuki.poulose@arm.com, catalin.marinas@arm.com, jiri@resnulli.us, aneesh.kumar@kernel.org Subject: Re: [RFC PATCH v2 1/5] dma-mapping: Avoid double decrypting with DMA_RESTRICTED_POOL Message-ID: References: <20260330145043.1586623-1-smostafa@google.com> <20260330145043.1586623-2-smostafa@google.com> <20260330150654.GA809900@ziepe.ca> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260330150654.GA809900@ziepe.ca> On Mon, Mar 30, 2026 at 12:06:54PM -0300, Jason Gunthorpe wrote: > On Mon, Mar 30, 2026 at 02:50:39PM +0000, Mostafa Saleh wrote: > > In case a device have a restricted DMA pool, it will be decrypted > > by default. > > > > However, in the path of dma_direct_alloc() memory can be allocated > > from this pool using, __dma_direct_alloc_pages() => > > dma_direct_alloc_swiotlb() > > > > After that from the same function, it will attempt to decrypt it > > using dma_set_decrypted() if force_dma_unencrypted(). > > > > Which results in the memory being decrypted twice. > > > > It's not clear how the does realm world/hypervisors deal with that, > > for example: > > - CCA: Clear a bit in the page table and call realm IPA_STATE_SET. > > - TDX: Issue a hypercall. > > - pKVM: Which doesn't implement force_dma_unencrypted() at the moment, > > uses a share hypercall. > > > > Change that to only encrypt/decrypt memory that are not allocated > > from the restricted dma pools. > > > > Fixes: f4111e39a52a ("swiotlb: Add restricted DMA alloc/free support") > > Signed-off-by: Mostafa Saleh > > --- > > kernel/dma/direct.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c > > index 8f43a930716d..27d804f0473f 100644 > > --- a/kernel/dma/direct.c > > +++ b/kernel/dma/direct.c > > @@ -79,7 +79,7 @@ bool dma_coherent_ok(struct device *dev, phys_addr_t phys, size_t size) > > > > static int dma_set_decrypted(struct device *dev, void *vaddr, size_t size) > > { > > - if (!force_dma_unencrypted(dev)) > > + if (!force_dma_unencrypted(dev) || is_swiotlb_for_alloc(dev)) > > return 0; > > This seems really obtuse, I would expect the decryption state of the > memory to be known by the caller. If dma_direct_alloc_swiotlb() can > return decrypted or encrypted memory it needs to return a flag saying > that. It shouldn't be deduced by checking dev flags in random places > like this. At the moment restricted dma is always decrypted, also it’s per device so we don’t have to check this per allocation. I can change the signature for __dma_direct_alloc_pages() to make it return an extra flag but that feels more complicated as it changes dma_direct_alloc_swiotlb() , swiotlb_alloc() with its callers. I can investigate this approach further. Thanks, Mostafa > > Double decryption is certainly a bug, I do not expect that to work. > > Jason