lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <496c2d88-2558-42fe-8434-81c000955a84@arm.com>
Date: Thu, 9 Oct 2025 13:16:10 +0100
From: Robin Murphy <robin.murphy@....com>
To: Krzysztof Kozlowski <krzk@...nel.org>, Rob Herring <robh@...nel.org>,
 Charan Teja Kalla <charan.kalla@....qualcomm.com>
Cc: joro@...tes.org, will@...nel.org, saravanak@...gle.com,
 conor+dt@...nel.org, mchehab@...nel.org, bod@...nel.org, krzk+dt@...nel.org,
 abhinav.kumar@...ux.dev, vikash.garodia@....qualcomm.com,
 dikshita.agarwal@....qualcomm.com, linux-media@...r.kernel.org,
 linux-arm-msm@...r.kernel.org, devicetree@...r.kernel.org,
 linux-kernel@...r.kernel.org, iommu@...ts.linux.dev
Subject: Re: [RFC PATCH 0/3] Introduce iommu-map-masked for platform devices

On 2025-10-09 1:26 am, Krzysztof Kozlowski wrote:
> On 29/09/2025 05:23, Rob Herring wrote:
>> On Sun, Sep 28, 2025 at 12:17 PM Charan Teja Kalla
>> <charan.kalla@....qualcomm.com> wrote:
>>>
>>> This series introduces a new iommu property called iommu-map-masked(may
>>> be there is a better name), which is used to represent the IOMMU
>>> specifier pairs for each function of a __multi-functional platform
>>> device__, where each function can emit unique master id(s) that can be
>>> associated with individual translation context.
>>>
>>> Currently, the iommu configuration - at least for arm architecture-
>>> requires all the functions of a platform device will be represented
>>> under single dt node thus endup in using only a single translation
>>> context.
>>>
>>> A simple solution to associate individual translation context for each
>>> function of a device can be through creating per function child nodes in
>>> the device tree, but dt is only to just represent the soc layout to
>>> linux kernel.
>>>
>>> Supporting such cases requires a new iommu property called,
>>> iommu-map-masked(taking cue from iommu-map for pci devices) and syntax
>>> is:
>>>     iommu-map-masked = <FUNCTION_ID1 &iommu ID1 MASK1>,
>>>                        <FUNCTION_ID2 &iommu ID2 MASK2>;
>>> NOTE: As an RFC, it is considered that this property always expects 4
>>> cells.
>>>
>>> During the probe phase of the driver for a multi-functional device
>>> behind an IOMMU, a child device is instantiated for each FUNCTION_ID.
>>> The call to of_dma_configure_id() on each child sets up the IOMMU
>>> configuration, ensuring that each function of the device is associated
>>> with a distinct translation context.
>>>
>>> This property can also be used in association with 'iommus=' when dt
>>> bindings requires the presence of 'iommus=', example[2]. For these
>>> cases, representation will be(on arm64):
>>>     iommus = <&iommu sid mask>; //for default function.
>>>     iommu-map-masked = <FUNCTION_ID &iommu sid mask>;//additional
>>> function.
>>
>> Where does the FUNCTION_ID value come from?
>>
>> Why can't you just have multiple "iommus" entries where the index
>> defines the default and any FUNCTION_ID entries? What's in each index
>> is specific to the device.
> 
> 
> We discussed the problem earlier and that is what I asked them to do.
> Apparently I was just ignored so now two maintainers say the same. We
> can get ignored still and the third maintainer will have to tell this.

The reason why that isn't really viable is that the "iommus" property 
needs to be consumed directly by the relevant IOMMU driver(s) without a 
dependency on any driver for the client device represented by the node 
itself. For security/isolation purposes the IOMMU has to know about all 
potential DMA sources and be able to be configured for them *before* 
anyone else gets a chance to start initiating DMA from them. If the DT 
consumer is, say, a bare-metal hypervisor, it may have no understanding 
whatsoever of what most of the client devices are nor how they work.

This is part of the reason why we went for a separate "iommu-map" 
property for buses, so that an IOMMU consumer *can* easily tell when 
multiple specifiers do not represent an indivisible set tied to the 
given device, and thus it can expect help from a bus driver to subdivide 
them later (but in the meantime can still safely isolate the entire bus 
based on the output of the map without having to understand the inputs.)

Now, I suppose in some cases it might be technically possible for a 
client device driver to collude with an IOMMU driver to divide a 
monolithic DT device into logical functions after the fact, but for 
Linux I don't see an acceptable way of doing that without some major 
changes to the driver model abstraction and IOMMU API...

Thanks,
Robin.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ