lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6ef158ef-c592-64fe-d204-4e7a526b4e47@arm.com>
Date:   Fri, 18 Aug 2023 17:06:14 +0100
From:   Robin Murphy <robin.murphy@....com>
To:     Thierry Reding <thierry.reding@...il.com>,
        Baolu Lu <baolu.lu@...ux.intel.com>
Cc:     Stanimir Varbanov <stanimir.varbanov@...e.com>,
        Stanimir Varbanov <svarbanov@...e.de>,
        linux-tegra@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        iommu@...ts.linux.dev, linux-kernel@...r.kernel.org,
        Krishna Reddy <vdumpa@...dia.com>,
        Will Deacon <will@...nel.org>, Joerg Roedel <joro@...tes.org>,
        Rob Herring <robh+dt@...nel.org>,
        Krzysztof Kozlowski <krzysztof.kozlowski+dt@...aro.org>,
        Conor Dooley <conor+dt@...nel.org>, devicetree@...r.kernel.org
Subject: Re: [RFC PATCH] iommu: arm-smmu-nvidia: Add default domain type
 implementation op

On 2023-07-14 07:56, Thierry Reding wrote:
> On Fri, Jul 14, 2023 at 11:14:08AM +0800, Baolu Lu wrote:
>> On 2023/7/13 21:31, Thierry Reding wrote:
>>> On Tue, Jul 11, 2023 at 05:55:11PM +0200, Thierry Reding wrote:
>>>> On Tue, Jul 11, 2023 at 01:58:34PM +0300, Stanimir Varbanov wrote:
>>>>> Hi Thierry,
>>>>>
>>>>> Thank you for the comments!
>>>>>
>>>>> On 7/10/23 13:40, Thierry Reding wrote:
>>>>>> On Mon, Jul 10, 2023 at 11:22:52AM +0300, Stanimir Varbanov wrote:
>>>>>>> Add def_domain_type implementation op and override default IOMMU
>>>>>>> domain Kconfig option (CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y), which
>>>>>>> could be enabled on some distros. The current quirk has been done
>>>>>>> for Tegra234 machine, because I found the issue on it. The issue
>>>>>>> itself appears on USB host controller which cannot be initialized
>>>>>>> without IOMMU translation. Something more, we proved that IOMMU
>>>>>>> translation is needed for display and GPU drivers as well.
>>>>>>>
>>>>>>> I evaluated few possible options to solve that:
>>>>>>>
>>>>>>>    a) select default IOMMU domain from .def_domain_type op
>>>>>>>    b) Unset CONFIG_IOMMU_DEFAULT_PASSTHROUGH=n
>>>>>>>    c) add iommu.passthrough=0 on the kernel cmdline
>>>>>>>    d) firmware - ACPI / DT
>>>>>>>
>>>>>>> a) This option is implemented in the proposed patch.
>>>>>>>
>>>>>>> b) Since that the community has agreed that pass-through is preferred
>>>>>>> as a default IOMMU domain option because this will avoid performance
>>>>>>> impacts on some of the platforms [1]. On the other side we have examples
>>>>>>> where you cannot even install Linux distribution on a machine where the
>>>>>>> storage media cannot be detected and the system just hangs.
>>>>>>
>>>>>> That's not how I read that thread. It sounds more to me like Will and
>>>>>> Robin had ideas on how to improve the performance and were planning to
>>>>>> address these issues. It doesn't exactly sound to me like there was
>>>>>> concensus to make passthrough the default.
>>>>>>
>>>>>> Having said that, given that it's possible for distributions and users
>>>>>> to set CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y, I think it would be useful in
>>>>>> general to have a way of enforcing IOMMU translations if it's needed by
>>>>>> the hardware.
>>>>>
>>>>> Exactly, the problem is that some platforms prefer passthrough to avoid
>>>>> performance impacts but others cannot even boot the kernel (and thus
>>>>> installation failure). Passing iommu.passthrough=0 should be an
>>>>> administrator decision, balancing between security and performance.
>>>>>
>>>>> On the other hand the aforementioned mail thread gave some performance
>>>>> numbers which might be are outdated having the improvements made in smmu
>>>>> driver in mind. Unfortunately, I cannot confirm that the performance has
>>>>> been improved during that time.
>>>>>
>>>>>>
>>>>>> I'm not sure I fully understand the particular problems that you're
>>>>>> seeing on Tegra234, though. I'm not aware of anything in the USB host
>>>>>> controller driver (or hardware, for that matter) that would require the
>>>>>> IOMMU to be enabled. The only peculiarity that I can think of is the
>>>>>> firmware, which is typically loaded by an early bootloader and therefore
>>>>>> might perhaps need the IOMMU to properly map this in the kernel.
>>>>>> However, my understanding is that this firmware is loaded into special
>>>>>> carveout regions which don't require remapping.
>>>>>
>>>>> On Jetson Orin AGX (R35.2.1) I see these errors:
>>>>>
>>>>> tegra-mc 2c00000.memory-controller: unknown: write @0x0000000000000080:
>>>>> EMEM address decode error (EMEM decode error)
>>>>>
>>>>> tegra-xusb 3610000.usb: Error while assigning device slot ID
>>>>> tegra-xusb 3610000.usb: Max number of devices this xHCI host supports is 36.
>>>>> usb usb2-port3: couldn't allocate usb_device
>>>>> tegra-mc 2c00000.memory-controller: unknown: write @0x0000000000000090:
>>>>> EMEM address decode error (EMEM decode error)
>>>>> tegra-xusb 3610000.usb: Error while assigning device slot ID
>>>>> tegra-xusb 3610000.usb: Max number of devices this xHCI host supports is 36.
>>>>> usb usb1-port3: couldn't allocate usb_device
>>>>>
>>>>> tegra-mc 2c00000.memory-controller: unknown: write @0x00000000000000a0:
>>>>> EMEM address decode error (EMEM decode error)
>>>>> tegra-xusb 3610000.usb: Error while assigning device slot ID
>>>>> tegra-xusb 3610000.usb: Max number of devices this xHCI host supports is 36.
>>>>> usb usb1-port4: couldn't allocate usb_device
>>>>>
>>>>>>
>>>>>> However, passthrough is admittedly not something that we've thoroughly
>>>>>> tested, so it's possible you're running into a use-case that I'm not
>>>>>> aware of. In that case, could you provide a few more specifics (such as
>>>>>> the DTB and .config) of your build configuration so that I can try and
>>>>>> reproduce?
>>>>>
>>>>> To reproduce you have to add iommu.passthrough=1 on kernel cmdline. The
>>>>> dtb is from Jetpack.
>>>>
>>>> I was able to reproduce this on Jetson Orin NX (the differences to AGX
>>>> Orin should be negligible in this context), though I ended up patching
>>>> the DTB to disable all SMMUs. What fixed it for me was to drop the
>>>> dma-coherent property from the usb@...0000 node. Can you try that on
>>>> your end to see if that works for you as well?
>>>>
>>>> Not that that's a proper solution, of course, but just trying to find
>>>> out if there's perhaps something else going on.
>>>>
>>>>   From the looks of it, it seems like these devices aren't actually DMA
>>>> coherent inherently, but rather the SMMU translations make the accesses
>>>> to memory coherent. I'm trying to find out the exact details, but if it
>>>> turns out to be the case, then what we really want is a way for an IOMMU
>>>> to mark any devices that get attached to it as DMA coherent. It's not
>>>> sufficient to hard-code this in DT because there are various ways in
>>>> which device can end up not attached to an IOMMU despite what the DT
>>>> says.
>>>>
>>>> Jason, or anyone of the IOMMU folks, any thoughts on how this could be
>>>> achieved? DT already has a way of walking up the "DMA hierarchy" looking
>>>> for a DMA coherent parent, but again, making this rely entirely on DT
>>>> seems insufficient.
>>>
>>> I've got a bit more information on what's happening here. There are
>>> three different ways that a device's memory accesses can coherent on
>>> Tegra: 1) when translated through the ARM SMMU, 2) some devices can
>>> force coherency through configuration registers and 3) each device can
>>> be forced to be coherent via the memory controller.
>>>
>>> Option 3) is not something we have much control over because this is
>>> configured during early boot and the corresponding registers locked
>>> down, so the OS can at maximum read out the configuration.
>>>
>>> Option 1) is what is typically used, so a common pattern is that if we
>>> enable IOMMU translations via DT, we also set dma-coherent. Conversely,
>>> if IOMMU translations are disabled via DT, the dma-coherent property
>>> should also be removed because by default most devices will not be
>>> hardcoded to be DMA coherent via option 3). Most device drivers will
>>> also not program the device's configuration registers.
>>>
>>> As a result the desired configuration is to always enable SMMU and rely
>>> on the SMMU translations to provide DMA coherency. As we've seen this
>>> can be problematic, because the device tree doesn't always tell the true
>>> story. For example even if the iommus property exists, the device may
>>> not end up attached to the IOMMU for a number of reasons (the IOMMU
>>> could itself be disabled, a kernel command-line option could prevent the
>>> attachment, or a device could even be detached explicitly).
>>>
>>> So I think what we want to avoid is to mark all device tree nodes as
>>> dma-coherent because it can lead to inconsistencies. A better option
>>> would be to have this property inherited via the IOMMU if the IOMMU
>>> translations themselves cause the coherency to be established. Now it
>>> seems like DT already contains a way of doing that via the "DMA parent".
>>> This works by looking up a special interconnects path called "dma-mem".
>>> We already use this on Tegra to make the memory controller the DMA
>>> parent of all memory clients (i.e. all DMA capable hardware blocks) in
>>> order to enforce a bus-level DMA mask.
>>>
>>> However, in order for the DMA parent mechanism to work for IOMMU, we'd
>>> need to redirect the DMA parent to be the IOMMU, but in that case we
>>> loose the link to the memory controller. Unless, perhaps, if there's a
>>> way to construct an ICC path from device to IOMMU and then to memory
>>> controller and external memory controller (EMC).
>>>
>>> For reference, here's roughly what the data path looks like on Tegra:
>>>
>>> 	device --> MC --> SMMU enabled --> SMMU --> EMC --> DRAM
>>> 	              |                          ^
>>> 	              --> SMMU bypass -----------|
>>>
>>> SMMU can be enabled/disabled per device via a stream ID override
>>> register in the memory controller.
>>>
>>> The biggest downside of that mechanism is still that it's a static
>>> configuration and doesn't respect the actual runtime attachment of a
>>> device to an IOMMU.
>>>
>>> Adding the DT folks to see if they have any good ideas on how best to
>>> represent this from a DT point of view. Would it perhaps be an option
>>> to consider the iommus property when walking up the DMA ancestry?
>>
>> Is it possible to handle this dynamically in the code? Say, set device
>> to be DMA coherent in probe_finalize callback of Tegra iommu driver if
>> the IOMMU translation for this device is on. And clear it in the iommu
>> release device path.
>>
>> Normally we switch the DMA ops in the probe_finalize callback and iommu
>> device release.
> 
> Yeah, I had looked into this as well. Intel, AMD and VirtIO all seem to
> do this during .probe_finalize(), whereas on ARM64 this happens as part
> of the bus' .dma_configure() callback.
> 
> One thing that we could potentially do is fiddle with the struct device
> .dma_coherent member in .probe_finalize() and .release_device(), but I'm
> not sure about the potential ramifications. That is, do we have places
> in the code that assume dev->dma_coherent to be statically set during
> device instantiation?
> 
> We would have to default to not marking devices as dma-coherent in DT
> for that to work, though, because otherwise if someone were to disable
> the IOMMU altogether, .probe_finalize() and .release_device() would
> never get called and we'd never get a chance to override.
> 
> I wonder if we could also use this to dynamically switch a device into
> coherent mode. For example, if it is marked as dma-coherent in device
> tree but doesn't end up as dev->dma_coherent when the driver probes, we
> could try and force coherency via the device's configuration registers.

Indeed, if the device itself can control the memory attributes it 
outputs, then take a look at most users of device_get_dma_attr() for 
examples of doing exactly that.

> I don't know yet if that's really a good idea, though. For correctness
> it would be enough if we can detect at runtime whether a device is DMA
> coherent or not via the IOMMU.

It would be pretty trivial to hook up dynamic coherency through the 
IOMMU API too, but the problem is that in general the IOMMU doesn't 
necessarily know. In ACPI, IORT includes the nifty "Coherent Path to 
Memory" attribute, but no equivalent exists for DT. A "dma-coherent" 
property on the IOMMU node only says that the IOMMU's own memory 
accesses are coherent, but that doesn't guarantee that all of its 
translation interfaces are on coherent paths as well.

Thanks,
Robin.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ