| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260113205112.GJ812923@nvidia.com> Date: Tue, 13 Jan 2026 16:51:12 -0400 From: Jason Gunthorpe <jgg@...dia.com> To: Nicolin Chen <nicolinc@...dia.com> Cc: Will Deacon <will@...nel.org>, robin.murphy@....com, joro@...tes.org, linux-arm-kernel@...ts.infradead.org, iommu@...ts.linux.dev, linux-kernel@...r.kernel.org, skolothumtho@...dia.com, praan@...gle.com, xueshuai@...ux.alibaba.com, smostafa@...gle.com Subject: Re: [PATCH rc v5 1/4] iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence On Tue, Jan 13, 2026 at 12:29:11PM -0800, Nicolin Chen wrote: > On Tue, Jan 13, 2026 at 12:12:53PM -0400, Jason Gunthorpe wrote: > > On Tue, Jan 13, 2026 at 03:05:52PM +0000, Will Deacon wrote: > > > I suppose we shouldn't ever see the case that they both have S2S, but > > > that's fine. > > > > If they both have S2S then it works correctly? Any S2S forces EATS to > > follow the normal rules. > > > > > The spec also suggests that there's an additional illegal STE case w/ > > > split-stage ATS (EATS_S1CHK) if Config != S1+S2. > > > > The driver doesn't support that either.. > > > > It is fixed by checking if new EATS is valid under old config and old > > EATS valid under new config. > > > > Also to support S1CHK someday we cannot allow the hypervisor to leave > > S1_S2 and go to S2, since the HW can't deal with that... > > Perhaps the safe bits should only have EATS_TRANS, excluding S1CHK: > > -------------------------------------------------------------------------- > + * When an STE changes EATS_TRANS, the sequencing code in the attach > + * logic already will have the PCI cap for ATS disabled. Thus at this > + * moment we can expect that the device will not generate ATS queries > + * and so we don't care about the sequencing of EATS. The purpose of > + * EATS_TRANS is to protect the system from hostile untrusted devices > + * that issue ATS when the PCI config space is disabled. However, if > + * EATS_TRANS is being changed, then we must have already trusted the > + * device as the EATS_TRANS security block is being disabled. > + * > + * Note: now the EATS_TRANS update is moved to the first entry_set(). > + * Changing S2S and EATS might transiently result in S2S=1 and EATS=1 > + * which is a bad STE (see "5.2 Stream Table Entry"). In such a case, > + * we can't do a hitless update. Also, STRTAB_STE_1_EATS_S1CHK should > + * not be added to the safe bits because it relies on CFG[2:0]=0b111, > + * to prevent another bad STE. > */ > - safe_bits[1] |= cpu_to_le64(STRTAB_STE_1_EATS); > + if (!((cur[2] | target[2]) & cpu_to_le64(STRTAB_STE_2_S2S))) > + safe_bits[1] |= cpu_to_le64( > + FIELD_PREP(STRTAB_STE_1_EATS, STRTAB_STE_1_EATS_TRANS)); > -------------------------------------------------------------------------- > > @will, does this look good to you? I can send a v7 with this. That is an easy way to address Will's observation, makes sense to me. Thanks, Jason
Powered by blists - more mailing lists