[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC PATCH v3 5/6] dt-bindings: of: Add restricted DMA pool
On Thu, Jan 7, 2021 at 2:58 AM Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> wrote: > > On Wed, Jan 06, 2021 at 11:41:23AM +0800, Claire Chang wrote: > > Introduce the new compatible string, restricted-dma-pool, for restricted > > DMA. One can specify the address and length of the restricted DMA memory > > region by restricted-dma-pool in the device tree. > > > > Signed-off-by: Claire Chang <tientzu@xxxxxxxxxxxx> > > --- > > .../reserved-memory/reserved-memory.txt | 24 +++++++++++++++++++ > > 1 file changed, 24 insertions(+) > > > > diff --git > > a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > > b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > > index e8d3096d922c..44975e2a1fd2 100644 > > --- a/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > > +++ b/Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt > > @@ -51,6 +51,20 @@ compatible (optional) - standard definition > > used as a shared pool of DMA buffers for a set of devices. It can > > be used by an operating system to instantiate the necessary pool > > management subsystem if necessary. > > + - restricted-dma-pool: This indicates a region of memory meant to > > be > > + used as a pool of restricted DMA buffers for a set of devices. > > The > > + memory region would be the only region accessible to those > > devices. > > + When using this, the no-map and reusable properties must not be > > set, > > + so the operating system can create a virtual mapping that will > > be used > > + for synchronization. The main purpose for restricted DMA is to > > + mitigate the lack of DMA access control on systems without an > > IOMMU, > > + which could result in the DMA accessing the system memory at > > + unexpected times and/or unexpected addresses, possibly leading > > to data > > + leakage or corruption. The feature on its own provides a basic > > level > > + of protection against the DMA overwriting buffer contents at > > + unexpected times. However, to protect against general data > > leakage and > > + system memory corruption, the system needs to provide way to > > restrict > > + the DMA to a predefined memory region. > > Heya! > > I think I am missing something obvious here so please bear with my > questions: > > - This code adds the means of having the SWIOTLB pool tied to a specific > memory correct? It doesn't affect the existing SWIOTLB. It just utilizes the existing SWIOTLB code to create another DMA pool tied to a specific memory region for a given set of devices. It bounces the streaming DMA (map/unmap) in and out of that region and does the memory allocation (dma_direct_alloc) from the same region. > > > - Nothing stops the physical device from bypassing the SWIOTLB buffer. > That is if an errant device screwed up the length or DMA address, the > SWIOTLB would gladly do what the device told it do? So the system needs to provide a way to lock down the memory access, e.g. MPU. > > - This has to be combined with SWIOTLB-force-ish to always use the > bounce buffer, otherwise you could still do DMA without using > SWIOTLB (by not hitting the criteria for needing to use SWIOTLB)? Since restricted DMA is for the devices that are not behind an IOMMU, I change the criteria `if (unlikely(swiotlb_force == SWIOTLB_FORCE))` to `if (unlikely(swiotlb_force == SWIOTLB_FORCE) || dev->dma_io_tlb_mem)` in dma_direct_map_page(). Also, even if SWIOTLB=force, the restricted DMA pool is preferred if available (get_io_tlb_mem in https://lore.kernel.org/patchwork/patch/1360995/). Thanks!
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |