Re: [PATCH kernel 4/9] dma/swiotlb: Stop forcing SWIOTLB for TDISP devices

[Alexey Kardashevskiy]

On 26/2/26 03:48, Robin Murphy wrote:
> On 2026-02-25 5:37 am, Alexey Kardashevskiy wrote:
> > SWIOTLB is enforced when encrypted guest memory is detected
> > in pci_swiotlb_detect() which is required for legacy devices.
> >
> > Skip SWIOTLB for TDISP devices.
> >
> > Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxx>
> > ---
> >   include/linux/swiotlb.h | 9 +++++++++
> >   1 file changed, 9 insertions(+)
> >
> > diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
> > index 3dae0f592063..119c25d639a7 100644
> > --- a/include/linux/swiotlb.h
> > +++ b/include/linux/swiotlb.h
> > @@ -173,6 +173,15 @@ static inline bool is_swiotlb_force_bounce(struct device *dev)
> >   {
> >       struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
> > +    /*
> > +     * CC_ATTR_GUEST_MEM_ENCRYPT enforces SWIOTLB_FORCE in
> > +     * swiotlb_init_remap() to allow legacy devices access arbitrary
> > +     * VM encrypted memory.
> > +     * Skip it for TDISP devices capable of DMA-ing the encrypted memory.
> > +     */
> > +    if (device_cc_accepted(dev))
> > +        return false;
>
> This seems backwards - how does it make sense for arch code to force SWIOTLB globally on the grounds that all DMA must be to shared memory, but then generic code override that because it claims to know better?

True. I have the itch to remove SWIOTLB_FORCE from pci_swiotlb_detect(), this may be the other way to go.

> I'd expect to see something more like:
>
>      if (is_cc_platform && !device_cc_accepted)

device_cc_accepted() implies is_cc_platform.

>          return true;
>
> here, and then get rid of the rest of the (ab)use of SWIOTLB_FORCE for this purpose entirely.
>
> However there is the fiddly aspect that it's not necessarily strictly enough to just un-force SWIOTLB; we really want to actively ensure that no private memory can *ever* end up getting bounced through a shared SWIOTLB buffer. The private/shared state is really a property of the individual DMA mappings, though, rather than an overall property of the device itself
At the moment it is a property of the device though, for AMD, at least.

> (since a device that's trusted to access private memory isn't necessarily prohibited from still also accessing shared memory as well), hmmm...

True. With vTOM ("everything above TopOfMemory is shared", not using it now) or secure vIOMMU all sorts of accesses is possible. Thanks,

> Thanks,
> Robin.
>
> > +
> >       return mem && mem->force_bounce;
> >   }

--
Alexey