Xen project Mailing List

Re: [PATCH] arm/acpi: don't expose the ACPI IORT SMMUv3 entry to dom0

From: Rahul Singh <Rahul.Singh@xxxxxxx>

Date: Fri, 29 Apr 2022 18:18:24 +0000

Accept-language: en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qsTGaAa0fiIKj3RJZoNLhnEkA6ti42zy9E1mk+YvjfE=; b=Rq7YIQkf7ZZDXQt1QZi5hJkPJxf9Db3IwnV3VHJJ0KA5kePm8SZiGzw0UuxjJagDyUGQWNiHduHGR62vZ8YMCHpnppyc9P+G1jvU3s6XUKMhUYTIA+9s7Z924vStr8iLMsza5nk5nsHPyRDfk/1h4CoHtqurCKkVQsidNBlpwyllWyuWG5iZyuF47GEUsClJDaCmbtjwsqaUdp5Nif6MgOvl+cxQiNTG0l49JaUwDSQPDtZ/XBgs7IF2Pwb/bbhUa/Wtp1Sd1tWINmPmHkJS4MUdeOZ6zMu71QyvqJ4XaIFcBcvvX06pVAtN2gyV+5xMzPVPfCi6/Jhqj2uky1h1ng==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qsTGaAa0fiIKj3RJZoNLhnEkA6ti42zy9E1mk+YvjfE=; b=EyFY5OhbJRPvoV9HW1yh8IeXeSblxNqwCxB06yFKheyqrJxeP/9IyxiO2YlCGvmLTnh8aqWY6PWwRp7WHTX94A8e1NriNBJlZjVVkOn7wyrM9VfDe+Ypvw5QJeZz+cwnZEhC6zXwnW8F3HwDI7tsUSgHCQ1g6HB68v54BV2DFdBZuJuJN6qdyJNSLDdKVozLohBamvr/5XEVLBHQ3DsLAKUolTxzUAVKP6dfbl/byBf5gETrBZCOV1CyiBRRd/1QCwTupI6Z77fFiGBK9/tl5IKzD87ZHB9103qwcNLZfBgf9K2dSmEROwO+OV3S9NtUTfaogYnFzskxjkv1SFSU7w==

Arc-seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=NJijWWK2bj0bW3SVosC2DiKliVNoKzON6Ci1MY6ERzpmEPWIcMsqc5EnMGn5bcQ2vwNOc3KitLb+x9XWtjmTB204Q/TfSIDRi4SNcJqQDgMd+CRVIlzVCtFbNGOufOcm6FcjVt6d3orCI/784Z6V7bs7M70JR25s/W4jB++UGU/5DVR6yMFZGtCRiocOiwT3zO6baOxw2enTalHgFN9c9rEhXJr+40dmjxhv5J835xCTePYXRwEAI3iMyTRZFiKWoV0Ebo//IsXVyLx1rKaI/hNZBX4z3dQA8hicXhEhcICu1kXR85hQ/y+z9ofRjLP63kuOpEC0fWEXz1LTSu5JwQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DOs3pnVo7S5P/bGoAbK48r+l7NaKDVmFZ4VOJ76Ge7+kwAQxuCswHl1HbI7z8pfyfK6qVldjHoAI/scLJAYEIywTccYa7zplt4Qgpc3UMbK1e4WTS5odMzC8ZRxj1gLP97RnlE0ogxMi7KlwK+EHwDn6JowNElgMGIJan1OrbzaefzPP/4pYQsgM4i2AIgMIeD7S3DKirvxNMq5n8jF0A2r0A8KCJRFBMxy6VKz34t7ppGJMpdm+0kwBXb8Z7pzJMfRH+z8i3aHQuXKHpWKmay02NU6TvO8IKZW3pyzGhNIIrTXd4t/m83c8FPtTH6KFIaWYM0CIbaJfjaEke2vm0w==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Fri, 29 Apr 2022 18:18:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Original-authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Thread-index: AQHYWlGqg8d+SR8SokCgQy1GM9ERN60EFAcAgAMiW4A=

Thread-topic: [PATCH] arm/acpi: don't expose the ACPI IORT SMMUv3 entry to dom0

Hi Julien, > On 27 Apr 2022, at 7:26 pm, Julien Grall <julien@xxxxxxx> wrote: > > Hi Rahul, > > On 27/04/2022 17:12, Rahul Singh wrote: >> Xen should control the SMMUv3 devices therefore, don't expose the >> SMMUv3 devices to dom0. Deny iomem access to SMMUv3 address space for >> dom0 and also make ACPI IORT SMMUv3 node type to 0xff. > > Looking at the IORT spec (ARM DEN 0049E), 255 (0xff) is marked as reserved. > So I don't think we can "allocate" 0xff to mean invalid without updating the > spec. Did you engage with whoever own the spec? Yes I agree with you 0xff is reserved for future use. I didn’t find any other value to make node invalid. Linux kernel is mostly using the node->type to process the SMMUv3 or other IORT node so I thought this is the only possible solution to hide SMMUv3 for dom0 If you have any other suggestion to hide the SMMUv3 node I am okay to use that. > >> Signed-off-by: Rahul Singh <rahul.singh@xxxxxxx> >> --- >> xen/arch/arm/acpi/domain_build.c | 40 ++++++++++++++++++++++++++++++++ >> 1 file changed, 40 insertions(+) >> diff --git a/xen/arch/arm/acpi/domain_build.c >> b/xen/arch/arm/acpi/domain_build.c >> index bbdc90f92c..ec0b5b261f 100644 >> --- a/xen/arch/arm/acpi/domain_build.c >> +++ b/xen/arch/arm/acpi/domain_build.c >> @@ -14,6 +14,7 @@ >> #include <xen/acpi.h> >> #include <xen/event.h> >> #include <xen/iocap.h> >> +#include <xen/sizes.h> >> #include <xen/device_tree.h> >> #include <xen/libfdt/libfdt.h> >> #include <acpi/actables.h> >> @@ -30,6 +31,7 @@ static int __init acpi_iomem_deny_access(struct domain *d) >> { >> acpi_status status; >> struct acpi_table_spcr *spcr = NULL; >> + struct acpi_table_iort *iort; >> unsigned long mfn; >> int rc; >> @@ -55,6 +57,44 @@ static int __init acpi_iomem_deny_access(struct domain *d) >> printk("Failed to get SPCR table, Xen console may be unavailable\n"); >> } >> + status = acpi_get_table(ACPI_SIG_IORT, 0, >> + (struct acpi_table_header **)&iort); > > At some point we will need to add support to hide the ARM SMMU device and > possibly some devices. So I think it would be better to create a function > that would deal with the IORT. Ok. Let me add the function in next version. > >> + >> + if ( ACPI_SUCCESS(status) ) >> + { >> + int i; > > Please use unsigned int. Ack. > >> + struct acpi_iort_node *node, *end; > > Coding style: Please add a newline. Ack. > >> + node = ACPI_ADD_PTR(struct acpi_iort_node, iort, iort->node_offset); >> + end = ACPI_ADD_PTR(struct acpi_iort_node, iort, iort->header.length); >> + >> + for ( i = 0; i < iort->node_count; i++ ) >> + { >> + if ( node >= end ) > > Wouldn't this only happen if the table is somehow corrupted? If so, I think > we should print an error (or even panic). Ok. > >> + break; >> + >> + switch ( node->type ) >> + { >> + case ACPI_IORT_NODE_SMMU_V3: > > Coding style: The keyword "case" should be aligned the the start of the > keyword "switch”. Ack. > >> + { >> + struct acpi_iort_smmu_v3 *smmu; > > Coding style: Newline. Ack. >> + smmu = (struct acpi_iort_smmu_v3 *)node->node_data; >> + mfn = paddr_to_pfn(smmu->base_address); >> + rc = iomem_deny_access(d, mfn, mfn + PFN_UP(SZ_128K)); >> + if ( rc ) >> + printk("iomem_deny_access failed for SMMUv3\n"); >> + node->type = 0xff; > > 'node' points to the Xen copy of the ACPI table. We should really not touch > this copy. Instead, we should modify the version that will be used by dom0. As of now IORT is untouched by Xen and mapped to dom0. I will create the IORT table for dom0 and modify the node SMMUv3 that will be used by dom0. > > Furthermore, if we go down the road to update node->type, we should 0 the > node to avoid leaking the information to dom0. I am not sure if we can zero the node, let me check and come back to you. > >> + break; >> + } >> + } >> + node = ACPI_ADD_PTR(struct acpi_iort_node, node, node->length); >> + } >> + } >> + else >> + { >> + printk("Failed to get IORT table\n"); >> + return -EINVAL; >> + } > > The IORT is not yet parsed by Xen and AFAIK is optional. So I don't think we > should return an error. Ack. Regards, Rahul

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.