Re: [PATCH v9 1/4] iommu: Move def_domain type check for untrusted device into core

From: Lu Baolu
Date: Mon Nov 23 2020 - 07:59:30 EST


Hi Will,

On 2020/11/23 20:04, Will Deacon wrote:
On Sat, Nov 21, 2020 at 09:56:17PM +0800, Lu Baolu wrote:
So that the vendor iommu drivers are no more required to provide the
def_domain_type callback to always isolate the untrusted devices.

Link: https://lore.kernel.org/linux-iommu/243ce89c33fe4b9da4c56ba35acebf81@xxxxxxxxxx/
Cc: Shameerali Kolothum Thodi <shameerali.kolothum.thodi@xxxxxxxxxx>
Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
---
drivers/iommu/intel/iommu.c | 7 -------
drivers/iommu/iommu.c | 21 ++++++++++++++-------
2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index af3abd285214..6711f78141a4 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -2916,13 +2916,6 @@ static int device_def_domain_type(struct device *dev)
if (dev_is_pci(dev)) {
struct pci_dev *pdev = to_pci_dev(dev);
- /*
- * Prevent any device marked as untrusted from getting
- * placed into the statically identity mapping domain.
- */
- if (pdev->untrusted)
- return IOMMU_DOMAIN_DMA;
-
if ((iommu_identity_mapping & IDENTMAP_AZALIA) && IS_AZALIA(pdev))
return IOMMU_DOMAIN_IDENTITY;
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 88b0c9192d8c..3256784c0358 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1457,13 +1457,23 @@ struct iommu_group *fsl_mc_device_group(struct device *dev)
}
EXPORT_SYMBOL_GPL(fsl_mc_device_group);
-static int iommu_get_def_domain_type(struct device *dev)
+/* Get the mandatary def_domain type for device. Otherwise, return 0. */
+static int iommu_get_mandatory_def_domain_type(struct device *dev)
{
const struct iommu_ops *ops = dev->bus->iommu_ops;
- unsigned int type = 0;
+
+ if (dev_is_pci(dev) && to_pci_dev(dev)->untrusted)
+ return IOMMU_DOMAIN_DMA;
if (ops->def_domain_type)
- type = ops->def_domain_type(dev);
+ return ops->def_domain_type(dev);
+
+ return 0;
+}
+
+static int iommu_get_def_domain_type(struct device *dev)
+{
+ int type = iommu_get_mandatory_def_domain_type(dev);
return (type == 0) ? iommu_def_domain_type : type;
}
@@ -1645,13 +1655,10 @@ struct __group_domain_type {
static int probe_get_default_domain_type(struct device *dev, void *data)
{
- const struct iommu_ops *ops = dev->bus->iommu_ops;
struct __group_domain_type *gtype = data;
unsigned int type = 0;
- if (ops->def_domain_type)
- type = ops->def_domain_type(dev);
-
+ type = iommu_get_mandatory_def_domain_type(dev);

afaict, this code is only called from probe_alloc_default_domain(), which
has:

/* Ask for default domain requirements of all devices in the group */
__iommu_group_for_each_dev(group, &gtype,
probe_get_default_domain_type);

if (!gtype.type)
gtype.type = iommu_def_domain_type;

so is there actually a need to introduce the new
iommu_get_mandatory_def_domain_type() function, given that a type of 0
always ends up resolving to the default domain type?

Another consumer of this helper is in the next patch:

+ dev_def_dom = iommu_get_mandatory_def_domain_type(dev);
+
+ /* Check if user requested domain is supported by the device or not */
+ if (!type) {
+ /*
+ * If the user hasn't requested any specific type of domain and
+ * if the device supports both the domains, then default to the
+ * domain the device was booted with
+ */
+ type = iommu_get_def_domain_type(dev);
+ } else if (dev_def_dom && type != dev_def_dom) {
+ dev_err_ratelimited(prev_dev, "Device cannot be in %s domain\n",
+ iommu_domain_type_str(type));
+ ret = -EINVAL;
+ goto out;
+ }

I also added the untrusted device check in
iommu_get_mandatory_def_domain_type(), so that we don't need to care
about this in multiple places.

Best regards,
baolu