Re: [PATCH] PCI: ACPI: Allow internal devices to be marked as untrusted

[Mika Westerberg]

Hi,

On Fri, Jan 21, 2022 at 03:41:17PM -0600, Bjorn Helgaas wrote:
> [+cc Greg, Jean-Philippe, Mika, Pavel, Oliver, Joerg since they
> commented on previous "external-facing" discussion]
> 
> On Wed, Jan 19, 2022 at 04:04:09PM -0800, Rajat Jain wrote:
> > Today the pci_dev->untrusted is set for any devices sitting downstream
> > an external facing port (determined via "ExternalFacingPort" property).
> > This however, disallows any internal devices to be marked as untrusted.
> 
> This isn't stated quite accurately.  "dev->untrusted" is currently set
> only by set_pcie_untrusted(), when "dev" has an upstream bridge that
> is either external-facing or untrusted.
> 
> But that doesn't disallow or prevent internal devices from being
> marked as untrusted; it just doesn't implement that.
> 
> > There are use-cases though, where a platform would like to treat an
> > internal device as untrusted (perhaps because it runs untrusted
> > firmware, or offers an attack surface by handling untrusted network
> > data etc).
> > 
> > This patch introduces a new "UntrustedDevice" property that can be used
> > by the firmware to mark any device as untrusted.

I think this new property should be documented somewhere too (also
explain when to use it instead of ExternalFacingPort). If not in the
next ACPI spec or some supplemental doc then perhaps in the DT bindings
under Documentation/devicetree/bindings.