| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BN9PR11MB5276D640C4E906EBBC3EA6D08C9C2@BN9PR11MB5276.namprd11.prod.outlook.com> Date: Wed, 4 Sep 2024 08:17:53 +0000 From: "Tian, Kevin" <kevin.tian@...el.com> To: Baolu Lu <baolu.lu@...ux.intel.com>, Joerg Roedel <joro@...tes.org>, "Will Deacon" <will@...nel.org>, Robin Murphy <robin.murphy@....com> CC: "Saarinen, Jani" <jani.saarinen@...el.com>, "iommu@...ts.linux.dev" <iommu@...ts.linux.dev>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org> Subject: RE: [PATCH 1/1] iommu/vt-d: Prevent boot failure with devices requiring ATS > From: Baolu Lu <baolu.lu@...ux.intel.com> > Sent: Wednesday, September 4, 2024 3:50 PM > > On 2024/9/4 14:49, Tian, Kevin wrote: > >> From: Lu Baolu <baolu.lu@...ux.intel.com> > >> Sent: Wednesday, September 4, 2024 2:07 PM > >> > >> SOC-integrated devices on some platforms require their PCI ATS enabled > >> for operation when the IOMMU is in scalable mode. Those devices are > >> reported via ACPI/SATC table with the ATC_REQUIRED bit set in the Flags > >> field. > >> > >> The PCI subsystem offers the 'pci=noats' kernel command to disable PCI > >> ATS on all devices. Using 'pci=noat' with devices that require PCI ATS > >> can cause a conflict, leading to boot failure, especially if the device > >> is a graphics device. > >> > >> To prevent this issue, check PCI ATS support before enumerating the > IOMMU > >> devices. If any device requires PCI ATS, but PCI ATS is disabled by > >> 'pci=noats', switch the IOMMU to operate in legacy mode to ensure > >> successful booting. > > > > I guess the reason of switching to legacy mode is because the platform > > automatically enables ATS in this mode, as the comment says in > > dmar_ats_supported(). This should be explained otherwise it's unclear > > why switching the mode can make ATS working for those devices. > > Not 'automatically enable ATS,' but hardware provides something that is > equivalent to PCI ATS. The ATS capability on the device is still > disabled. That's the reason why such device must be an SOC-integrated > one. well does that equivalent means use PCI ATS protocol at all (i.e. do untranslated request followed by translated request based on device TLB)? If yes it's still ATS under the hood. If not could you elaborate how it works in PCI world? > > > > > But then doesn't it break the meaning of 'pci=noats' which means > > disabling ATS physically? It's described as "do not use PCIe ATS and > > IOMMU device IOTLB" in kernel doc, which is not equivalent to > > "leave PCIe ATS to be managed by HW". > > Therefore, the PCI ATS is not used and the syntax of pci=noats is not > broken. I'm not sure the point of noats is to just disable the PCI capability while allowing the underlying hw to continue sending ATS protocol... > > > and why would one want to use 'pci=noats' on a platform which > > requires ats? > > We don't recommend users to disable ATS on a platform which has devices > that rely on it. But nothing can prevent users from doing so. I am not > sure why it is needed. One possible reason that I can think of is about > security. Sometimes, people don't trust ATS because it allows devices to > access the memory with translated requests directly without any > permission check on the IOMMU end. > but this doesn't make sense. If the user doesn't trust ATS and deliberately wants to disable ats then it should be followed and whatever usage requiring ATS is then broken. The user should decide which is more favored between security vs. usage to make the right call.
Powered by blists - more mailing lists