[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] arm/acpi: don't expose the ACPI IORT SMMUv3 entry to dom0


  • To: Julien Grall <julien@xxxxxxx>
  • From: Rahul Singh <Rahul.Singh@xxxxxxx>
  • Date: Fri, 29 Apr 2022 18:18:24 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qsTGaAa0fiIKj3RJZoNLhnEkA6ti42zy9E1mk+YvjfE=; b=Rq7YIQkf7ZZDXQt1QZi5hJkPJxf9Db3IwnV3VHJJ0KA5kePm8SZiGzw0UuxjJagDyUGQWNiHduHGR62vZ8YMCHpnppyc9P+G1jvU3s6XUKMhUYTIA+9s7Z924vStr8iLMsza5nk5nsHPyRDfk/1h4CoHtqurCKkVQsidNBlpwyllWyuWG5iZyuF47GEUsClJDaCmbtjwsqaUdp5Nif6MgOvl+cxQiNTG0l49JaUwDSQPDtZ/XBgs7IF2Pwb/bbhUa/Wtp1Sd1tWINmPmHkJS4MUdeOZ6zMu71QyvqJ4XaIFcBcvvX06pVAtN2gyV+5xMzPVPfCi6/Jhqj2uky1h1ng==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qsTGaAa0fiIKj3RJZoNLhnEkA6ti42zy9E1mk+YvjfE=; b=EyFY5OhbJRPvoV9HW1yh8IeXeSblxNqwCxB06yFKheyqrJxeP/9IyxiO2YlCGvmLTnh8aqWY6PWwRp7WHTX94A8e1NriNBJlZjVVkOn7wyrM9VfDe+Ypvw5QJeZz+cwnZEhC6zXwnW8F3HwDI7tsUSgHCQ1g6HB68v54BV2DFdBZuJuJN6qdyJNSLDdKVozLohBamvr/5XEVLBHQ3DsLAKUolTxzUAVKP6dfbl/byBf5gETrBZCOV1CyiBRRd/1QCwTupI6Z77fFiGBK9/tl5IKzD87ZHB9103qwcNLZfBgf9K2dSmEROwO+OV3S9NtUTfaogYnFzskxjkv1SFSU7w==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=NJijWWK2bj0bW3SVosC2DiKliVNoKzON6Ci1MY6ERzpmEPWIcMsqc5EnMGn5bcQ2vwNOc3KitLb+x9XWtjmTB204Q/TfSIDRi4SNcJqQDgMd+CRVIlzVCtFbNGOufOcm6FcjVt6d3orCI/784Z6V7bs7M70JR25s/W4jB++UGU/5DVR6yMFZGtCRiocOiwT3zO6baOxw2enTalHgFN9c9rEhXJr+40dmjxhv5J835xCTePYXRwEAI3iMyTRZFiKWoV0Ebo//IsXVyLx1rKaI/hNZBX4z3dQA8hicXhEhcICu1kXR85hQ/y+z9ofRjLP63kuOpEC0fWEXz1LTSu5JwQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DOs3pnVo7S5P/bGoAbK48r+l7NaKDVmFZ4VOJ76Ge7+kwAQxuCswHl1HbI7z8pfyfK6qVldjHoAI/scLJAYEIywTccYa7zplt4Qgpc3UMbK1e4WTS5odMzC8ZRxj1gLP97RnlE0ogxMi7KlwK+EHwDn6JowNElgMGIJan1OrbzaefzPP/4pYQsgM4i2AIgMIeD7S3DKirvxNMq5n8jF0A2r0A8KCJRFBMxy6VKz34t7ppGJMpdm+0kwBXb8Z7pzJMfRH+z8i3aHQuXKHpWKmay02NU6TvO8IKZW3pyzGhNIIrTXd4t/m83c8FPtTH6KFIaWYM0CIbaJfjaEke2vm0w==
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Fri, 29 Apr 2022 18:18:48 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Thread-index: AQHYWlGqg8d+SR8SokCgQy1GM9ERN60EFAcAgAMiW4A=
  • Thread-topic: [PATCH] arm/acpi: don't expose the ACPI IORT SMMUv3 entry to dom0

Hi Julien,

> On 27 Apr 2022, at 7:26 pm, Julien Grall <julien@xxxxxxx> wrote:
> 
> Hi Rahul,
> 
> On 27/04/2022 17:12, Rahul Singh wrote:
>> Xen should control the SMMUv3 devices therefore, don't expose the
>> SMMUv3 devices to dom0. Deny iomem access to SMMUv3 address space for
>> dom0 and also make ACPI IORT SMMUv3 node type to 0xff.
> 
> Looking at the IORT spec (ARM DEN 0049E), 255 (0xff) is marked as reserved. 
> So I don't think we can "allocate" 0xff to mean invalid without updating the 
> spec. Did you engage with whoever own the spec?

Yes I agree with you 0xff is reserved for future use. I didn’t find any other 
value to make node invalid. 
Linux kernel is mostly using the node->type to process the SMMUv3 or other IORT 
node so I thought this is the only possible solution to hide SMMUv3 for dom0

If you have any other suggestion to hide the SMMUv3 node I am okay to use that.
> 
>> Signed-off-by: Rahul Singh <rahul.singh@xxxxxxx>
>> ---
>> xen/arch/arm/acpi/domain_build.c | 40 ++++++++++++++++++++++++++++++++
>> 1 file changed, 40 insertions(+)
>> diff --git a/xen/arch/arm/acpi/domain_build.c 
>> b/xen/arch/arm/acpi/domain_build.c
>> index bbdc90f92c..ec0b5b261f 100644
>> --- a/xen/arch/arm/acpi/domain_build.c
>> +++ b/xen/arch/arm/acpi/domain_build.c
>> @@ -14,6 +14,7 @@
>> #include <xen/acpi.h>
>> #include <xen/event.h>
>> #include <xen/iocap.h>
>> +#include <xen/sizes.h>
>> #include <xen/device_tree.h>
>> #include <xen/libfdt/libfdt.h>
>> #include <acpi/actables.h>
>> @@ -30,6 +31,7 @@ static int __init acpi_iomem_deny_access(struct domain *d)
>> {
>> acpi_status status;
>> struct acpi_table_spcr *spcr = NULL;
>> + struct acpi_table_iort *iort;
>> unsigned long mfn;
>> int rc;
>> @@ -55,6 +57,44 @@ static int __init acpi_iomem_deny_access(struct domain *d)
>> printk("Failed to get SPCR table, Xen console may be unavailable\n");
>> }
>> + status = acpi_get_table(ACPI_SIG_IORT, 0,
>> + (struct acpi_table_header **)&iort);
> 
> At some point we will need to add support to hide the ARM SMMU device and 
> possibly some devices. So I think it would be better to create a function 
> that would deal with the IORT.

Ok. Let me add the function in next version.
> 
>> +
>> + if ( ACPI_SUCCESS(status) )
>> + {
>> + int i;
> 
> Please use unsigned int.
Ack.
> 
>> + struct acpi_iort_node *node, *end;
> 
> Coding style: Please add a newline.

Ack. 
> 
>> + node = ACPI_ADD_PTR(struct acpi_iort_node, iort, iort->node_offset);
>> + end = ACPI_ADD_PTR(struct acpi_iort_node, iort, iort->header.length);
>> +
>> + for ( i = 0; i < iort->node_count; i++ )
>> + {
>> + if ( node >= end )
> 
> Wouldn't this only happen if the table is somehow corrupted? If so, I think 
> we should print an error (or even panic).

Ok.
> 
>> + break;
>> +
>> + switch ( node->type )
>> + {
>> + case ACPI_IORT_NODE_SMMU_V3:
> 
> Coding style: The keyword "case" should be aligned the the start of the 
> keyword "switch”.
Ack. 
> 
>> + {
>> + struct acpi_iort_smmu_v3 *smmu;
> 
> Coding style: Newline.

Ack. 
>> + smmu = (struct acpi_iort_smmu_v3 *)node->node_data;
>> + mfn = paddr_to_pfn(smmu->base_address);
>> + rc = iomem_deny_access(d, mfn, mfn + PFN_UP(SZ_128K));
>> + if ( rc )
>> + printk("iomem_deny_access failed for SMMUv3\n");
>> + node->type = 0xff;
> 
> 'node' points to the Xen copy of the ACPI table. We should really not touch 
> this copy. Instead, we should modify the version that will be used by dom0.

As of now IORT is untouched by Xen and mapped to dom0. I will create the IORT 
table for dom0 and modify the node SMMUv3 that will be used by dom0.
> 
> Furthermore, if we go down the road to update node->type, we should 0 the 
> node to avoid leaking the information to dom0.

I am not sure if we can zero the node, let me check and come back to you. 
> 
>> + break;
>> + }
>> + }
>> + node = ACPI_ADD_PTR(struct acpi_iort_node, node, node->length);
>> + }
>> + }
>> + else
>> + {
>> + printk("Failed to get IORT table\n");
>> + return -EINVAL;
>> + }
> 
> The IORT is not yet parsed by Xen and AFAIK is optional. So I don't think we 
> should return an error.

Ack. 

Regards,
Rahul


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.