[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250731165301.GY26511@ziepe.ca>
Date: Thu, 31 Jul 2025 13:53:01 -0300
From: Jason Gunthorpe <jgg@...pe.ca>
To: Arto Merilainen <amerilainen@...dia.com>
Cc: "Aneesh Kumar K.V (Arm)" <aneesh.kumar@...nel.org>,
linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
aik@....com, lukas@...ner.de, Samuel Ortiz <sameo@...osinc.com>,
Xu Yilun <yilun.xu@...ux.intel.com>,
Suzuki K Poulose <Suzuki.Poulose@....com>,
Steven Price <steven.price@....com>,
Catalin Marinas <catalin.marinas@....com>,
Marc Zyngier <maz@...nel.org>, Will Deacon <will@...nel.org>,
Oliver Upton <oliver.upton@...ux.dev>, kvmarm@...ts.linux.dev,
linux-coco@...ts.linux.dev
Subject: Re: [RFC PATCH v1 34/38] coco: guest: arm64: Validate mmio range
found in the interface report
On Thu, Jul 31, 2025 at 02:39:09PM +0300, Arto Merilainen wrote:
> On 28.7.2025 16.52, Aneesh Kumar K.V (Arm) wrote:
>
> > + for (int i = 0; i < interface_report->mmio_range_count; i++, mmio_range++) {
> > +
> > + /*FIXME!! units in 4K size*/
> > + range_id = FIELD_GET(TSM_INTF_REPORT_MMIO_RANGE_ID, mmio_range->range_attributes);
> > +
> > + /* no secure interrupts */
> > + if (msix_tbl_bar != -1 && range_id == msix_tbl_bar) {
> > + pr_info("Skipping misx table\n");
> > + continue;
> > + }
> > +
> > + if (msix_pba_bar != -1 && range_id == msix_pba_bar) {
> > + pr_info("Skipping misx pba\n");
> > + continue;
> > + }
> > +
>
>
> MSI-X and PBA can be placed to a BAR that has other registers as well. While
> the PCIe specification recommends BAR-level isolation for MSI-X structures,
> it is not mandated.
Right, there are not enough BARs in most devices to give MSI its own
BAR.
> It is enough to have sufficient isolation within the
> BAR. Therefore, skipping the MSI-X and PBA BARs altogether may leave
> registers unintentionally mapped via unprotected IPA when they
> should have been mapped via protected IPA.
Right, this sounds bad.
> Instead of skipping the whole BAR, would it make sense to determine
> where the MSI-X related regions reside, and skip validation only from these
> regions?
IMHO this is a mess. The virtualization must end up putting a shared
page(s) covering the MSI space in the middle of the MMIO region.
I think this should be done by fragmenting the layout in the IPA where
the private MMIO is within the protected IPA space with an unmapped
hole covering the MSIX registers. The acceptance process should
validate this.
The MSIX registers would then be located in the shared IPA space.
A normal driver mmaping it's BAR will then crash if it tries to access
the MSIX registers. This is good, we want to catch these non-secure
configurations and block them.
The MSI code will have to know to compute the shared IPA alias and use
that.
Jason
Powered by blists - more mailing lists