On 02/05/2019 13:45, Thierry Reding wrote:
On Thu, May 02, 2019 at 12:08:21PM +0100, Will Deacon wrote:
On Thu, May 02, 2019 at 12:59:12PM +0200, Thierry Reding wrote:
On Wed, Apr 24, 2019 at 12:52:31PM +0100, Will Deacon wrote:
On Wed, Apr 24, 2019 at 01:36:58PM +0200, Marc Gonzalez wrote:
On 04/04/2019 17:00, Will Deacon wrote:
On Fri, Mar 01, 2019 at 11:20:17AM -0800, Douglas Anderson wrote:
If you're bisecting why your peripherals stopped working, it's
probably this CL. Specifically if you see this in your dmesg:
Unexpected global fault, this could be serious
...then it's almost certainly this CL.
Running your IOMMU-enabled peripherals with the IOMMU in bypass mode
is insecure and effectively disables the protection they provide.
There are few reasons to allow unmatched stream bypass, and even fewer
good ones.
This patch starts the transition over to make it much harder to run
your system insecurely. Expected steps:
1. By default disable bypass (so anyone insecure will notice) but make
it easy for someone to re-enable bypass with just a KConfig change.
That's this patch.
2. After people have had a little time to come to grips with the fact
that they need to set their IOMMUs properly and have had time to
dig into how to do this, the KConfig will be eliminated and bypass
will simply be disabled. Folks who are truly upset and still
haven't fixed their system can either figure out how to add
'arm-smmu.disable_bypass=n' to their command line or revert the
patch in their own private kernel. Of course these folks will be
less secure.
Suggested-by: Robin Murphy <robin.murphy@xxxxxxx>
Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
---
Changes in v2:
- Flipped default to 'yes' and changed comments a lot.
drivers/iommu/Kconfig | 25 +++++++++++++++++++++++++
drivers/iommu/arm-smmu.c | 3 ++-
2 files changed, 27 insertions(+), 1 deletion(-)
Cheers, I'll pick this one up for 5.2.
Hello Will,
You haven't pushed this patch out to linux-next AFAICT.
Is that expected?
It's on my branch for Joerg:
https://git.kernel.org/pub/scm/linux/kernel/git/will/linux.git/log/?h=for-joerg/arm-smmu/updates
which I'll send to him today. My SMMU stuff doesn't go directly into -next.
This made it to linux-next yesterday (less than a week before the merge
window opens) and deliberately breaks existing configurations. That's a
little rude.
At least give people a fair heads-up and a chance to fix things before
you start break things.
Sorry about the inconvenience here.
This patch has been floating around for a while (albeit not in -next, since
I send my stuff via Joerg)
You can't expect people to test random patches from the list if they're
not on Cc. I don't think it's safe to claim that patches have been well
tested until they've been in linux-next for at least a couple of days.
and is heading for 5.3, so you have ages to fix
up your config!
Last I checked, Joerg applied this for 5.2 because you sent it as part
of your "Updates for 5.2" pull request.
It would, of course, be better to configure the IOMMU to
provide mappings for your DMA peripherals, but the trivial config change
will be enough to keep things working. We won't remove that as long as
people are relying on it.
I don't think the Kconfig option is really useful. People nowadays want
to run standard distribution kernels on their devices, and distribution
maintainers will often rely on kernel developers' guidance on what good
defaults are. This patch suggests that the default should be to disable
bypass, so if this hits 5.2 final and distributions create their kernel
packages, they're likely going to go with this default and potentially
break things for many of their users.
Luckily this seems like it's fairly easy to fix, but given that we're
past v5.1-rc6, fixes for this now need to get special treatment. That
would've been okay if this was a pressing issues, but this is changing
something that's worked this way for ages, so it's hardly urgent.
I don't expect most people to run into problems with this change (the new
behaviour matches what SMMUv3 does already).
I see the ARM SMMU v2 used in quite a few DTS files. Not all of these
may be problematic, but I'd be somewhat surprised if Tegra was the only
one impacted.
If people have real technical reasons for needing unmatched stream
bypass, then we'll probably need to consider some sort of per-SMMU
override anyway, since well-meaning users rendering the system unusable
by enabling a security option isn't ideal. I'm in the middle of a big
rework to accommodate platform-specific extensions more easily, so
that's certainly an angle I can try to plan for.
On the other hand, if it's merely that nobody's yet got round to filling
out the DT properly, then AIUI that's pretty much exactly what Doug
wanted to motivate, so that the option *can* be used more widely by
users who might want it. Hence the provocative title :)
Robin.
