On Wed, 16 Jun 2021, Claire Chang wrote: > Introduce the new compatible string, restricted-dma-pool, for restricted > DMA. One can specify the address and length of the restricted DMA memory > region by restricted-dma-pool in the reserved-memory node. > > Signed-off-by: Claire Chang <tientzu@xxxxxxxxxxxx> > --- > .../reserved-memory/reserved-memory.txt | 36 +++++++++++++++++-- > 1 file changed, 33 insertions(+), 3 deletions(-) > > diff --git a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > index e8d3096d922c..46804f24df05 100644 > --- a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > +++ b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > @@ -51,6 +51,23 @@ compatible (optional) - standard definition > used as a shared pool of DMA buffers for a set of devices. It can > be used by an operating system to instantiate the necessary pool > management subsystem if necessary. > + - restricted-dma-pool: This indicates a region of memory meant to be > + used as a pool of restricted DMA buffers for a set of devices. The > + memory region would be the only region accessible to those devices. > + When using this, the no-map and reusable properties must not be set, > + so the operating system can create a virtual mapping that will be used > + for synchronization. The main purpose for restricted DMA is to > + mitigate the lack of DMA access control on systems without an IOMMU, > + which could result in the DMA accessing the system memory at > + unexpected times and/or unexpected addresses, possibly leading to data > + leakage or corruption. The feature on its own provides a basic level > + of protection against the DMA overwriting buffer contents at > + unexpected times. However, to protect against general data leakage and > + system memory corruption, the system needs to provide way to lock down > + the memory access, e.g., MPU. Note that since coherent allocation > + needs remapping, one must set up another device coherent pool by > + shared-dma-pool and use dma_alloc_from_dev_coherent instead for atomic > + coherent allocation. > - vendor specific string in the form <vendor>,[<device>-]<usage> > no-map (optional) - empty property > - Indicates the operating system must not create a virtual mapping > @@ -85,10 +102,11 @@ memory-region-names (optional) - a list of names, one for each corresponding > > Example > ------- > -This example defines 3 contiguous regions are defined for Linux kernel: > +This example defines 4 contiguous regions for Linux kernel: > one default of all device drivers (named linux,cma@72000000 and 64MiB in size), > -one dedicated to the framebuffer device (named framebuffer@78000000, 8MiB), and > -one for multimedia processing (named multimedia-memory@77000000, 64MiB). > +one dedicated to the framebuffer device (named framebuffer@78000000, 8MiB), > +one for multimedia processing (named multimedia-memory@77000000, 64MiB), and > +one for restricted dma pool (named restricted_dma_reserved@0x50000000, 64MiB). > > / { > #address-cells = <1>; > @@ -120,6 +138,11 @@ one for multimedia processing (named multimedia-memory@77000000, 64MiB). > compatible = "acme,multimedia-memory"; > reg = <0x77000000 0x4000000>; > }; > + > + restricted_dma_reserved: restricted_dma_reserved { > + compatible = "restricted-dma-pool"; > + reg = <0x50000000 0x4000000>; > + }; > }; > > /* ... */ > @@ -138,4 +161,11 @@ one for multimedia processing (named multimedia-memory@77000000, 64MiB). > memory-region = <&multimedia_reserved>; > /* ... */ > }; > + > + pcie_device: pcie_device@0,0 { > + reg = <0x83010000 0x0 0x00000000 0x0 0x00100000 > + 0x83010000 0x0 0x00100000 0x0 0x00100000>; > + memory-region = <&restricted_dma_mem_reserved>; Shouldn't it be &restricted_dma_reserved ?