From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B9D53AFCF5
	for <linux-kernel@vger.kernel.org>; Mon,  8 Jun 2026 21:56:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780955807; cv=none; b=jHZlNbk35jLVeCj0MaGcjy0fuwluyuP5CryoJfE7+YFzWaRA3EihvRL+C74zhRbvevHtYF0unD26xUbV0jYCIgtpcSuH/mxEGOJjbnaJKECpnzxLmWa/TLIomK7V5PjMT0CIxFSsIhAUK9w601TsczeWcLkFMONbetjs/H7drfk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780955807; c=relaxed/simple;
	bh=gceCkSBwwdt3mxcHAkII6lrOZohES5hppE4Qfe92JHM=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=PDm8pKRxuMEpzHchvYvrvFEYJbS8l8UCE59/OkhjcgW/Bd8dV3dvPWcVHeVI2VZriazpHS0DcHT0Ot7KOZlGVjKOFGRUoQycfz03KVNARmHW+NnYK2NydmxBcUR+Bn8Jzr2NpklSXTWOt2defFUSuUQfIEY1nrkyk9Pm9ZT+oQ8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Iii9t7wi; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Iii9t7wi"
Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2c0c379e8ffso32824405ad.3
        for <linux-kernel@vger.kernel.org>; Mon, 08 Jun 2026 14:56:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1780955805; x=1781560605; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=sXXyfmnFaXTXjgYYiyfgw2DtQ2NRAhcXZrd2mOcuVWY=;
        b=Iii9t7wi4o2uvhqvMvVyeO/q+4rRUwL9VNCWvGmONfaTdfZ8XgL+FJ4nKCKhHG5enz
         +S3psov8dMgcP1PAdiDqGfC8VGvTfVcXv/k8x+s//PmrvuwBt2kttl1+i7eryrWg3KPy
         FunATCXGnJs4H2jsRwZq3PHEGyxq+s9GcdYSNMdQfC8DPBkpLGIbhfaL3h2z+YPTwgGC
         aVTQMp5/PNaLfLVznF7/pTRLCW56xikvnov5RGe7sl6ZEIrrPc2928umx2nbY63QMl3O
         6RmWq5ipMV0kyD0IDe8fMbSKT4JmImUphUJBxVQl17ylPdssJwErkLRLUx9H2hrWofUl
         UDOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780955805; x=1781560605;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=sXXyfmnFaXTXjgYYiyfgw2DtQ2NRAhcXZrd2mOcuVWY=;
        b=PnqfdwlOJ7PoFbi1pbUmK+qYweua6xXkqdOmKea5GJd0CLWEHS9HOvSbXbpFqxOaeg
         Ta4IyzBIZkkHwcqlJuqTChSeWMfH2tD6YK/xvgsY0xsw1AxlI+lfcq16aKL2/8z5jaUk
         FDxZ8ajjsCG8xs1hocXrCRrAdTXmZvnqCGt3Zec56xmdSPJLmf1mj9aEuJ5X1t7nBYyf
         QjtPcQHgN9IxefW8382UkoJBtbKuIQnoB9e8LIg6UGfslPulX7qTIT/ohbKO4YPOhQOB
         wDyBF+xNII+nGO5i6UHmhoTkY18K0jJjUcdwcPLhlbZRUaUMwdEQd2bfSMTvU/sMG5CM
         LiMQ==
X-Forwarded-Encrypted: i=1; AFNElJ8uiDOQntf5SqeHTBSkZ8xtymY/CdYoZPo/l3YRo0CJBrAN/Cn4GzpkaWRM/kSu0SxtBEkWKlDk2QD+zFQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YzeZ5wn1DGSKBikpAVXKdtZ1Q75nSb5a3AmPLwQ+E/nRJkOKGC+
	59bAyCl3XEipWbB8O/NNz/CdhI1YKhMbpGaX5HCCRIpiexWIWdA3lVJyhUM4wF0BMFjQHclRk+P
	85NE8dtKS
X-Gm-Gg: Acq92OF6vhVGCaEeByucwkpyWSpyBEf+7nK4e9t77+Uh+6IgAUpoxDQKg3TxsqxgVRo
	Q58r44O2d4gXMzP9StSU25iw6NM2LNxn+MIRH/gadZxa6EfgZY5FNylm6KmlUowulNOJa/MxRVT
	SvD6w6amzLWEii852ZA/Xa+ltZXfZI4wqyRC+YtizvYQGR0uFpf/LJdUl7Cjb/PqflzIC6RVii4
	pPb4wI8DciLjy7/B2ZSQx8tbQ+9KE2/51opLb7aSzYBFvi+Ac62zFz2VUAbP7ksICuVUxDUXNOZ
	BteFQViyUShNOjSYQsajrY1Ub7MrAXOlohQQsNY1qWLNHjhI/ivxCLYzsZ5PgSBqHHAW1zNvLLc
	LDItFhMTYXIz6wiopk/y9BgrvVvuzGNFBtFiZdZiD9mvA5U7evDCbyQ2jyUZRj53zas13fulVi6
	uZ39v/CmKDAE6Cmzl3/Gp/IHsYK9HRG6Cg0zcRit+mRkb/RQCm2RbCFUXpwzpIcNjdDw8kTpjV
X-Received: by 2002:a17:902:f542:b0:2c0:ab82:6bb8 with SMTP id d9443c01a7336-2c1e80cfb97mr203347285ad.27.1780955804952;
        Mon, 08 Jun 2026 14:56:44 -0700 (PDT)
Received: from google.com (56.149.168.34.bc.googleusercontent.com. [34.168.149.56])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c16649d2d4sm177346225ad.77.2026.06.08.14.56.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 Jun 2026 14:56:44 -0700 (PDT)
Date: Mon, 8 Jun 2026 21:56:41 +0000
From: David Matlack <dmatlack@google.com>
To: Pranjal Shrivastava <praan@google.com>
Cc: kexec@lists.infradead.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	linux-pci@vger.kernel.org,
	Adithya Jayachandran <ajayachandra@nvidia.com>,
	Alexander Graf <graf@amazon.com>,
	Alex Williamson <alex@shazbot.org>,
	Bjorn Helgaas <bhelgaas@google.com>, Chris Li <chrisl@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Jacob Pan <jacob.pan@linux.microsoft.com>,
	Jason Gunthorpe <jgg@nvidia.com>, Jonathan Corbet <corbet@lwn.net>,
	Josh Hilke <jrhilke@google.com>,
	Leon Romanovsky <leonro@nvidia.com>, Lukas Wunner <lukas@wunner.de>,
	Mike Rapoport <rppt@kernel.org>, Parav Pandit <parav@nvidia.com>,
	Pasha Tatashin <pasha.tatashin@soleen.com>,
	Pratyush Yadav <pratyush@kernel.org>,
	Saeed Mahameed <saeedm@nvidia.com>,
	Samiullah Khawaja <skhawaja@google.com>,
	Shuah Khan <skhan@linuxfoundation.org>,
	Vipin Sharma <vipinsh@google.com>, William Tu <witu@nvidia.com>,
	Yi Liu <yi.l.liu@intel.com>
Subject: Re: [PATCH v6 08/12] PCI: liveupdate: Inherit ACS flags in incoming
 preserved devices
Message-ID: <aic6mdiZ0qUJpFca@google.com>
References: <20260522202410.3104264-1-dmatlack@google.com>
 <20260522202410.3104264-9-dmatlack@google.com>
 <aiXWmR-ettxin4LC@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aiXWmR-ettxin4LC@google.com>

On 2026-06-07 08:37 PM, Pranjal Shrivastava wrote:
> On Fri, May 22, 2026 at 08:24:06PM +0000, David Matlack wrote:
> > Inherit Access Control Services (ACS) flags on all incoming preserved
> > devices (endpoints and upstream bridges) during a Live Update.
> > 
> > Inheriting ACS flags avoids changing routing rules while memory
> > transactions are in flight from preserved devices. This is also strictly
> > necessary to ensure that IOMMU group assignments do not change across
> > a Live Update for preserved devices, as changing ACS configurations can
> > split or merge IOMMU groups.
> > 
> > Cache the inherited ACS controls established by the previous kernel in
> > struct pci_dev so that ACS controls do not change after a reset
> > (pci_restore_state() calls pci_enable_acs()).
> > 
> > To simplify ACS inheritance, reject preserving any devices that require
> > quirks to enable ACS as those quirks would also have to take Live Update
> > into account.
> > 
> > Signed-off-by: David Matlack <dmatlack@google.com>
> > ---
> >  drivers/pci/liveupdate.c       | 68 ++++++++++++++++++++++++++++++++++
> >  drivers/pci/liveupdate.h       | 11 ++++++
> >  drivers/pci/pci.c              |  5 +++
> >  drivers/pci/pci.h              |  5 +++
> >  drivers/pci/quirks.c           |  7 ++++
> >  include/linux/pci_liveupdate.h |  6 +++
> >  6 files changed, 102 insertions(+)
> > 
> 
> [...]
> 
> >  
> > +void pci_liveupdate_init_acs(struct pci_dev *dev)
> > +{
> > +	guard(rwsem_read)(&pci_liveupdate.rwsem);
> > +
> > +	if (!dev->acs_cap || !dev->liveupdate.incoming)
> > +		return;
> > +
> > +	pci_read_config_word(dev, dev->acs_cap + PCI_ACS_CTRL, &dev->liveupdate.acs_ctrl);
> 
> I might be thinking out loud here, but as an attacker, this motivates me
> to somehow hack the EP FW to mis-report the PCI_ACS_CTRL register across
> a liveupdate to fool the incoming kernel. If the FW feeds a 0, it silently
> strips ACS protections.
> 
> Should we also serialize ACS state in ser somehow to ensure we aren't 
> fooled by something like this?

What does "EP FW" mean?

Does such an attacker even need Live Update to attack the system? It
seems like such an attacker could route TLPs in whatever malicious way
they want regardless of Live Update.

> 
> > +}
> > +
> > +int pci_liveupdate_enable_acs(struct pci_dev *dev)
> > +{
> > +	u16 acs_ctrl = dev->liveupdate.acs_ctrl;
> > +	u16 acs_cap = dev->acs_cap;
> > +
> > +	/*
> > +	 * Use liveupdate.was_preserved instead of liveupdate.incoming since the
> > +	 * device's ACS controls should not change even after the device is
> > +	 * finished participating in the Live Update.
> > +	 */
> > +	if (!dev->liveupdate.was_preserved)
> > +		return -EINVAL;
> > +
> > +	/*
> > +	 * The previous kernel should not have preserved any devices that
> > +	 * require device-specific quirks to enable ACS, but if such a device is
> > +	 * detected, log a big warning and fall back to the normal enable ACS
> > +	 * path.
> > +	 */
> 
> Nit: It might be worth adding a note here that this can also happen if a
> new device-specific ACS quirk is introduced in the incoming kernel for a
> device that was preserved by the old kernel (which didn't have the quirk).
> In such cases, the two kernels are essentially non-LUO-compatible..

Yes will do.

> 
> > +	if (pci_need_dev_specific_enable_acs(dev)) {
> > +		pci_warn(dev, "Device-specific quirk required to enable ACS!\n");
> > +		WARN_ON_ONCE(true);
> > +		return -EINVAL;
> > +	}
> > +
> > +	if (acs_cap)
> > +		pci_write_config_word(dev, acs_cap + PCI_ACS_CTRL, acs_ctrl);
> > +
> > +	return 0;
> > +}
> > +
> >  /**
> >   * pci_liveupdate_is_incoming() - Check if a device is incoming-preserved
> >   * @dev: The PCI device to check
> 
> [...]
> 
> Thanks,
> Praan