Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default

From: Robin Murphy
Date: Thu Oct 03 2019 - 16:42:28 EST

Next message: Leonardo Bras: "Re: [PATCH v5 10/11] mm/Kconfig: Adds config option to track lockless pagetable walks"
Previous message: Stephen Rothwell: "linux-next: Fixes tags need some work in the amlogic tree"
In reply to: Tim Harvey: "Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default"
Next in thread: Tim Harvey: "Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Tim,

On 2019-10-03 7:27 pm, Tim Harvey wrote:

On Fri, Mar 1, 2019 at 11:21 AM Douglas Anderson <dianders@xxxxxxxxxxxx> wrote:

If you're bisecting why your peripherals stopped working, it's
probably this CL. Specifically if you see this in your dmesg:
Unexpected global fault, this could be serious
...then it's almost certainly this CL.

Running your IOMMU-enabled peripherals with the IOMMU in bypass mode
is insecure and effectively disables the protection they provide.
There are few reasons to allow unmatched stream bypass, and even fewer
good ones.

This patch starts the transition over to make it much harder to run
your system insecurely. Expected steps:

1. By default disable bypass (so anyone insecure will notice) but make
it easy for someone to re-enable bypass with just a KConfig change.
That's this patch.

2. After people have had a little time to come to grips with the fact
that they need to set their IOMMUs properly and have had time to
dig into how to do this, the KConfig will be eliminated and bypass
will simply be disabled. Folks who are truly upset and still
haven't fixed their system can either figure out how to add
'arm-smmu.disable_bypass=n' to their command line or revert the
patch in their own private kernel. Of course these folks will be
less secure.

Suggested-by: Robin Murphy <robin.murphy@xxxxxxx>
Signed-off-by: Douglas Anderson <dianders@xxxxxxxxxxxx>
---

Hi Doug / Robin,

I ran into this breaking things on OcteonTx boards based on CN80XX
CPU. The IOMMU configuration is a bit beyond me and I'm hoping you can
offer some advice. The IOMMU here is cavium,smmu-v2 as defined in
https://github.com/Gateworks/dts-newport/blob/master/cn81xx-linux.dtsi

Booting with 'arm-smmu.disable_bypass=n' does indeed work around the
breakage as the commit suggests.

Any suggestions for a proper fix?

Ah, you're using the old "mmu-masters" binding (and in a way which isn't well-defined - it's never been specified what the stream ID argument(s) would mean for a PCI host bridge, and Linux just ignores them). The ideal thing would be to update the DT to generic "iommu-map" properties - it's been a long time since I last played with a ThunderX, but I believe the SMMU stream IDs should just be the same as the ITS device IDs (which is how the "mmu-masters" mapping would have played out anyway).

The arm-smmu driver support for the old binding has always relied on implicit bypass - there are technical reasons why we can't realistically support the full functionality offered to the generic bindings, but it would be possible to add some degree of workaround to prevent it interacting quite so poorly with disable_bypass, if necessary. Do you have deployed systems with DTs that can't be updated, but still might need to run new kernels?

Robin.

Next message: Leonardo Bras: "Re: [PATCH v5 10/11] mm/Kconfig: Adds config option to track lockless pagetable walks"
Previous message: Stephen Rothwell: "linux-next: Fixes tags need some work in the amlogic tree"
In reply to: Tim Harvey: "Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default"
Next in thread: Tim Harvey: "Re: [PATCH v2] iommu/arm-smmu: Break insecure users by disabling bypass by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]