virtualization.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
Cc: Kuppuswamy Sathyanarayanan <knsathya@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	linux-pci@vger.kernel.org, linux-mips@vger.kernel.org,
	James E J Bottomley <James.Bottomley@hansenpartnership.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Peter H Anvin <hpa@zytor.com>,
	sparclinux@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Andi Kleen <ak@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>,
	Helge Deller <deller@gmx.de>,
	x86@kernel.org, Ingo Molnar <mingo@redhat.com>,
	linux-arch@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
	Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>,
	Andy Lutomirski <luto@kernel.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Bjorn Helgaas <bhelgaas@google.com>,
	Dan Williams <dan.j.williams@intel.com>,
	virtualization@lists.linux-foundation.org,
	Richard Henderson <rth@twiddle.net>,
	Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
	linux-parisc@vger.kernel.org,
	Sean Christopherson <seanjc@google.com>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-alpha@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
	"David S . Miller" <davem@davemloft.net>,
	Kirill Shutemov <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v5 12/16] PCI: Add pci_iomap_host_shared(), pci_iomap_host_shared_range()
Date: Sat, 9 Oct 2021 05:53:32 -0400	[thread overview]
Message-ID: <20211009053103-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20211009003711.1390019-13-sathyanarayanan.kuppuswamy@linux.intel.com>

On Fri, Oct 08, 2021 at 05:37:07PM -0700, Kuppuswamy Sathyanarayanan wrote:
> From: Andi Kleen <ak@linux.intel.com>
> 
> For Confidential VM guests like TDX, the host is untrusted and hence
> the devices emulated by the host or any data coming from the host
> cannot be trusted. So the drivers that interact with the outside world
> have to be hardened by sharing memory with host on need basis
> with proper hardening fixes.
> 
> For the PCI driver case, to share the memory with the host add
> pci_iomap_host_shared() and pci_iomap_host_shared_range() APIs.
> 
> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>

So I proposed to make all pci mappings shared, eliminating the need
to patch drivers.

To which Andi replied
	One problem with removing the ioremap opt-in is that
	it's still possible for drivers to get at devices without going through probe.

To which Greg replied:
https://lore.kernel.org/all/YVXBNJ431YIWwZdQ@kroah.com/
	If there are in-kernel PCI drivers that do not do this, they need to be
	fixed today.

Can you guys resolve the differences here?

And once they are resolved, mention this in the commit log so
I don't get to re-read the series just to find out nothing
changed in this respect?

I frankly do not believe we are anywhere near being able to harden
an arbitrary kernel config against attack.
How about creating a defconfig that makes sense for TDX then?
Anyone deviating from that better know what they are doing,
this API tweaking is just putting policy into the kernel  ...

> ---
>  Changes since v4:
>  * Replaced "_shared" with "_host_shared" in pci_iomap* APIs
>  * Fixed commit log as per review comments.
> 
>  include/asm-generic/pci_iomap.h |  6 +++++
>  lib/pci_iomap.c                 | 47 +++++++++++++++++++++++++++++++++
>  2 files changed, 53 insertions(+)
> 
> diff --git a/include/asm-generic/pci_iomap.h b/include/asm-generic/pci_iomap.h
> index df636c6d8e6c..a4a83c8ab3cf 100644
> --- a/include/asm-generic/pci_iomap.h
> +++ b/include/asm-generic/pci_iomap.h
> @@ -18,6 +18,12 @@ extern void __iomem *pci_iomap_range(struct pci_dev *dev, int bar,
>  extern void __iomem *pci_iomap_wc_range(struct pci_dev *dev, int bar,
>  					unsigned long offset,
>  					unsigned long maxlen);
> +extern void __iomem *pci_iomap_host_shared(struct pci_dev *dev, int bar,
> +					   unsigned long max);
> +extern void __iomem *pci_iomap_host_shared_range(struct pci_dev *dev, int bar,
> +						 unsigned long offset,
> +						 unsigned long maxlen);
> +
>  /* Create a virtual mapping cookie for a port on a given PCI device.
>   * Do not call this directly, it exists to make it easier for architectures
>   * to override */
> diff --git a/lib/pci_iomap.c b/lib/pci_iomap.c
> index 57bd92f599ee..2816dc8715da 100644
> --- a/lib/pci_iomap.c
> +++ b/lib/pci_iomap.c
> @@ -25,6 +25,11 @@ static void __iomem *map_ioremap_wc(phys_addr_t addr, size_t size)
>  	return ioremap_wc(addr, size);
>  }
>  
> +static void __iomem *map_ioremap_host_shared(phys_addr_t addr, size_t size)
> +{
> +	return ioremap_host_shared(addr, size);
> +}
> +
>  static void __iomem *pci_iomap_range_map(struct pci_dev *dev,
>  					 int bar,
>  					 unsigned long offset,
> @@ -106,6 +111,48 @@ void __iomem *pci_iomap_wc_range(struct pci_dev *dev,
>  }
>  EXPORT_SYMBOL_GPL(pci_iomap_wc_range);
>  
> +/**
> + * pci_iomap_host_shared_range - create a virtual shared mapping cookie
> + *				 for a PCI BAR
> + * @dev: PCI device that owns the BAR
> + * @bar: BAR number
> + * @offset: map memory at the given offset in BAR
> + * @maxlen: max length of the memory to map
> + *
> + * Remap a pci device's resources shared in a confidential guest.
> + * For more details see pci_iomap_range's documentation.

So how does a driver author know when to use this function, and when to
use the regular pci_iomap_range?  Drivers have no idea whether they are
used in a confidential guest, and which ranges are shared, it's a TDX
thing ...

This documentation should really address it.

> + *
> + * @maxlen specifies the maximum length to map. To get access to
> + * the complete BAR from offset to the end, pass %0 here.
> + */
> +void __iomem *pci_iomap_host_shared_range(struct pci_dev *dev, int bar,
> +					  unsigned long offset,
> +					  unsigned long maxlen)
> +{
> +	return pci_iomap_range_map(dev, bar, offset, maxlen,
> +				   map_ioremap_host_shared, true);
> +}
> +EXPORT_SYMBOL_GPL(pci_iomap_host_shared_range);
> +
> +/**
> + * pci_iomap_host_shared - create a virtual shared mapping cookie for a PCI BAR
> + * @dev: PCI device that owns the BAR
> + * @bar: BAR number
> + * @maxlen: length of the memory to map
> + *
> + * See pci_iomap for details. This function creates a shared mapping
> + * with the host for confidential hosts.
> + *
> + * @maxlen specifies the maximum length to map. To get access to the
> + * complete BAR without checking for its length first, pass %0 here.
> + */
> +void __iomem *pci_iomap_host_shared(struct pci_dev *dev, int bar,
> +			       unsigned long maxlen)
> +{
> +	return pci_iomap_host_shared_range(dev, bar, 0, maxlen);
> +}
> +EXPORT_SYMBOL_GPL(pci_iomap_host_shared);
> +
>  /**
>   * pci_iomap - create a virtual mapping cookie for a PCI BAR
>   * @dev: PCI device that owns the BAR
> -- 
> 2.25.1

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

  parent reply	other threads:[~2021-10-09  9:53 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20211009003711.1390019-1-sathyanarayanan.kuppuswamy@linux.intel.com>
     [not found] ` <20211009003711.1390019-17-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-09  1:45   ` [PATCH v5 16/16] x86/tdx: Add cmdline option to force use of ioremap_host_shared Randy Dunlap
2021-10-09 11:04   ` Michael S. Tsirkin
2021-10-11  2:39     ` Andi Kleen
2021-10-11 12:04       ` Michael S. Tsirkin
2021-10-11 17:35         ` Andi Kleen
2021-10-11 18:28           ` Michael S. Tsirkin
2021-10-12 17:55             ` Andi Kleen
2021-10-12 20:59               ` Michael S. Tsirkin
2021-10-12 21:18                 ` Andi Kleen
2021-10-12 21:30                   ` Michael S. Tsirkin
2021-10-15  5:50                     ` Andi Kleen
2021-10-15  6:57                       ` Michael S. Tsirkin
     [not found] ` <20211009003711.1390019-13-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-09  9:53   ` Michael S. Tsirkin [this message]
2021-10-09 20:39     ` [PATCH v5 12/16] PCI: Add pci_iomap_host_shared(), pci_iomap_host_shared_range() Dan Williams
2021-10-10 22:11       ` Andi Kleen
2021-10-12 17:42         ` Dan Williams
2021-10-12 18:35           ` Andi Kleen
2021-10-12 21:14             ` Dan Williams
2021-10-12 21:18               ` Michael S. Tsirkin
2021-10-12 21:24                 ` Andi Kleen
2021-10-12 21:28               ` Andi Kleen
2021-10-12 22:00                 ` Dan Williams
2021-10-18 12:13             ` Greg KH
     [not found]         ` <DM8PR11MB57501C8F8F5C8B315726882EE7B69@DM8PR11MB5750.namprd11.prod.outlook.com>
2021-10-12 18:38           ` Andi Kleen
     [not found]             ` <DM8PR11MB57505C520763DF706309E177E7B69@DM8PR11MB5750.namprd11.prod.outlook.com>
2021-10-12 19:13               ` Dan Williams
2021-10-12 19:49                 ` Andi Kleen
2021-10-12 21:11           ` Michael S. Tsirkin
     [not found]             ` <DM8PR11MB5750A40FAA6AFF6A29CF70DAE7B89@DM8PR11MB5750.namprd11.prod.outlook.com>
2021-10-14  6:57               ` Michael S. Tsirkin
     [not found]                 ` <DM8PR11MB57500B2D821E8AAF93EB66CEE7B89@DM8PR11MB5750.namprd11.prod.outlook.com>
2021-10-14  9:26                   ` Michael S. Tsirkin
     [not found]                     ` <DM8PR11MB57505AAA1E1209F7FCA69C11E7B89@DM8PR11MB5750.namprd11.prod.outlook.com>
2021-10-17 22:17                       ` Michael S. Tsirkin
2021-10-14 11:49                   ` Michael S. Tsirkin
2021-10-17 21:52               ` Thomas Gleixner
2021-10-18  0:55         ` Thomas Gleixner
2021-10-18  1:10           ` Thomas Gleixner
2021-10-18 12:08         ` Greg KH
2021-10-10 22:22     ` Andi Kleen
2021-10-11 11:59       ` Michael S. Tsirkin
2021-10-11 17:32         ` Andi Kleen
2021-10-11 18:22           ` Michael S. Tsirkin
2021-10-18 12:15         ` Greg KH
2021-10-18 13:17           ` Michael S. Tsirkin
2021-10-11  7:58   ` Christoph Hellwig
2021-10-11 17:23     ` Andi Kleen
2021-10-11 19:09       ` Michael S. Tsirkin
2021-10-12  5:31         ` Christoph Hellwig
2021-10-12 18:37           ` Andi Kleen
     [not found] ` <20211009003711.1390019-5-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-20 16:03   ` [PATCH v5 04/16] x86/tdx: Make pages shared in ioremap() Tom Lendacky via Virtualization
     [not found] ` <20211009003711.1390019-2-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-20 16:11   ` [PATCH v5 01/16] x86/mm: Move force_dma_unencrypted() to common code Tom Lendacky via Virtualization
     [not found] ` <20211009003711.1390019-7-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-20 16:33   ` [PATCH v5 06/16] x86/tdx: Make DMA pages shared Tom Lendacky via Virtualization
     [not found]     ` <66acafb6-7659-7d76-0f52-d002cfae9cc8@linux.intel.com>
2021-10-20 17:22       ` Tom Lendacky via Virtualization
     [not found] ` <20211009003711.1390019-8-sathyanarayanan.kuppuswamy@linux.intel.com>
2021-10-20 16:39   ` [PATCH v5 07/16] x86/kvm: Use bounce buffers for TD guest Tom Lendacky via Virtualization
     [not found]     ` <0a9c6485-74d8-e0fc-d261-097380272e07@linux.intel.com>
2021-10-20 17:26       ` Tom Lendacky via Virtualization
     [not found] ` <20211009003711.1390019-4-sathyanarayanan.kuppuswamy@linux.intel.com>
     [not found]   ` <YYWsJFP31vpCAVFg@google.com>
2021-11-08 14:45     ` [PATCH v5 03/16] x86/tdx: Exclude Shared bit from physical_mask Kirill A. Shutemov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211009053103-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=aarcange@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=bhelgaas@google.com \
    --cc=bp@alien8.de \
    --cc=corbet@lwn.net \
    --cc=dan.j.williams@intel.com \
    --cc=dave.hansen@intel.com \
    --cc=davem@davemloft.net \
    --cc=deller@gmx.de \
    --cc=hpa@zytor.com \
    --cc=jpoimboe@redhat.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=knsathya@kernel.org \
    --cc=linux-alpha@vger.kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mips@vger.kernel.org \
    --cc=linux-parisc@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rth@twiddle.net \
    --cc=sathyanarayanan.kuppuswamy@linux.intel.com \
    --cc=seanjc@google.com \
    --cc=sparclinux@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=tony.luck@intel.com \
    --cc=tsbogend@alpha.franken.de \
    --cc=virtualization@lists.linux-foundation.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).