Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace

From: Yehezkel Bernat
Date: Tue Nov 13 2018 - 10:39:14 EST

Next message: Hans Verkuil: "Re: [PATCH 3/5] media: sunxi: Add A10 CSI driver"
Previous message: Marek Szyprowski: "[PATCH] extcon: max8997: Fix lack of path setting in USB device mode"
In reply to: Yehezkel Bernat: "Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace"
Next in thread: Mika Westerberg: "Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 13, 2018 at 5:20 PM Mika Westerberg
<mika.westerberg@xxxxxxxxxxxxxxx> wrote:
>
> On Tue, Nov 13, 2018 at 04:42:58PM +0200, Yehezkel Bernat wrote:
> > On Tue, Nov 13, 2018 at 1:40 PM Mika Westerberg
> > <mika.westerberg@xxxxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, Nov 13, 2018 at 01:13:31PM +0200, Yehezkel Bernat wrote:
> > > > On Tue, Nov 13, 2018 at 12:56 PM Mika Westerberg
> > > > <mika.westerberg@xxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > > Just one point:
> > > > > > Have you considered the option to add this property per (TBT?) device?
> > > > >
> > > > > No. ;-)
> > > > >
> > > > > You mean that one device uses security levels and another IOMMU? I don't
> > > > > think it is possible without having some sort of table in the IOMMU
> > > > > driver telling which devices it needs identity map and which not. Also
> > > > > not sure what would be the benefit?
> > > >
> > > > For performance, of course. If some devices are considered safe (maybe a list
> > > > communicated by platform firmware), the kernel may decide to configure them to
> > > > passthrough the IOMMU (I think I remember there is such an option, but maybe I'm
> > > > wrong.)
> > >
> > > At least I'm not aware of such an option. Windows for example enables
> > > IOMMU for everything and I think macOS does the same. In Linux (with
> > > these patches) we put all internal devices already passthrough mode so
> > > things like internal graphics should not be affected. eGPUs are
> > > different thing, though.
> >
> > So your point here is "currently we do the IOMMU decisions system-wide; we can
> > always add a per-device attribute if needed"?
>
> Well, let me elaborate a bit :) I think it is possible to put certain
> devices into IOMMU passthrough mode even if they are "external" but I'm
> not that familiar with the guts of Intel IOMMU (Baolu or Ashok are the
> experts). Assuming it is possible we could have a table or similar in
> the kernel that can be used to identify devices that are allowed to be
> in passthrough mode.
>
> I'm not sure if it can be per-device sysfs attribute because at the time
> the PCIe device is enumerated it is already put to its IOMMU group.

Good point. But I thought about per-TBT-device decision. If the platform is
configured for IOMMU+"user" security level, while approving the device the user
may want to set also in which IOMMU group to put all the PCIe devices connected
to it. The same goes if kernel is supposed to auto-approve such devices based on
an internal table. The point is that we can think on a configuration where the
devices aren't tunneled yet and the decision about IOMMU can still be changed.

As you mentioned this isn't the common configuration anyway, so it probably
doesn't worth all this hassle.

Next message: Hans Verkuil: "Re: [PATCH 3/5] media: sunxi: Add A10 CSI driver"
Previous message: Marek Szyprowski: "[PATCH] extcon: max8997: Fix lack of path setting in USB device mode"
In reply to: Yehezkel Bernat: "Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace"
Next in thread: Mika Westerberg: "Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]