[PATCH] WIP: iommu: Export dmar_platform_optin() as a securityfs attribute

Richard Hughes hughsient at gmail.com
Thu May 7 16:40:06 UTC 2020


Although we can get the same information from
/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection, the
IP block on the SOC may be deactivated. That means that it would
not be exported even though pre boot DMA was enabled and available.

This patch is work in progress and is only supposed to spark
discussion. I'm new here, so please be gentle :)

Signed-off-by: Richard Hughes <richard at hughsie.com>
---
 drivers/iommu/Kconfig            | 10 ++++++
 drivers/iommu/Makefile           |  1 +
 drivers/iommu/iommu-securityfs.c | 55 ++++++++++++++++++++++++++++++++
 drivers/iommu/iommu.c            |  1 +
 include/linux/iommu.h            |  7 ++++
 5 files changed, 74 insertions(+)
 create mode 100644 drivers/iommu/iommu-securityfs.c

diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
index 2ab07ce17abb..e31fa9a459d6 100644
--- a/drivers/iommu/Kconfig
+++ b/drivers/iommu/Kconfig
@@ -79,6 +79,16 @@ config IOMMU_DEBUGFS
 	  debug/iommu directory, and then populate a subdirectory with
 	  entries as required.
 
+config IOMMU_SECURITYFS
+	bool "Export IOMMU attributes in SecurityFS"
+	depends on SECURITY
+	help
+	  Allows exposure of IOMMU security attributes. Devices can,
+	  at initialization time, cause the IOMMU code to create a top-
level
+	  security/iommu directory, and then populate entries as
required.
+
+	  If unsure, say N here.
+
 config IOMMU_DEFAULT_PASSTHROUGH
 	bool "IOMMU passthrough by default"
 	depends on IOMMU_API
diff --git a/drivers/iommu/Makefile b/drivers/iommu/Makefile
index 9f33fdb3bb05..f6c9c07b86b6 100644
--- a/drivers/iommu/Makefile
+++ b/drivers/iommu/Makefile
@@ -3,6 +3,7 @@ obj-$(CONFIG_IOMMU_API) += iommu.o
 obj-$(CONFIG_IOMMU_API) += iommu-traces.o
 obj-$(CONFIG_IOMMU_API) += iommu-sysfs.o
 obj-$(CONFIG_IOMMU_DEBUGFS) += iommu-debugfs.o
+obj-$(CONFIG_IOMMU_SECURITYFS) += iommu-securityfs.o
 obj-$(CONFIG_IOMMU_DMA) += dma-iommu.o
 obj-$(CONFIG_IOMMU_IO_PGTABLE) += io-pgtable.o
 obj-$(CONFIG_IOMMU_IO_PGTABLE_ARMV7S) += io-pgtable-arm-v7s.o
diff --git a/drivers/iommu/iommu-securityfs.c b/drivers/iommu/iommu-
securityfs.c
new file mode 100644
index 000000000000..71210c56311a
--- /dev/null
+++ b/drivers/iommu/iommu-securityfs.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * IOMMU security interface
+ *
+ * Copyright 2020 (c) Richard Hughes (richard at hughsie.com)
+ */
+
+#include <linux/pci.h>
+#include <linux/iommu.h>
+#include <linux/security.h>
+#include <linux/dmar.h>
+
+struct dentry *iommu_securityfs_dir;
+EXPORT_SYMBOL_GPL(iommu_securityfs_dir);
+
+struct dentry *iommu_dmar_enabled;
+
+static ssize_t iommu_dmar_enabled_read(struct file *filp,
+				       char __user *buf,
+				       size_t count,
+				       loff_t *ppos)
+{
+	char tmp[2];
+
+	sprintf(tmp, "%d\n", dmar_platform_optin());
+	return simple_read_from_buffer(buf, count, ppos, tmp,
sizeof(tmp));
+}
+
+static const struct file_operations iommu_dmar_enabled_ops = {
+	.read  = iommu_dmar_enabled_read,
+};
+
+/**
+ * iommu_securityfs_setup - create the iommu directory in security
with any
+ *                          shared attributes
+ *
+ * Provide base enablement for using security to expose internal data
of an
+ * IOMMU driver. When called, this function creates the
+ * /sys/kernel/security/iommu directory.
+ *
+ * This function is called from iommu_init; drivers may then use
+ * iommu_securityfs_dir to instantiate vendor-specific attributes.
+ */
+void iommu_securityfs_setup(void)
+{
+	if (!iommu_securityfs_dir) {
+		iommu_securityfs_dir = securityfs_create_dir("iommu",
NULL);
+		if (IS_ERR(iommu_dmar_enabled))
+			return;
+		iommu_dmar_enabled =
+		    securityfs_create_file("dmar_enabled",
+					   0600, iommu_securityfs_dir,
NULL,
+					   &iommu_dmar_enabled_ops);
+	}
+}
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 7b375421afba..d8256485a7af 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -2192,6 +2192,7 @@ static int __init iommu_init(void)
 	BUG_ON(!iommu_group_kset);
 
 	iommu_debugfs_setup();
+	iommu_securityfs_setup();
 
 	return 0;
 }
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index 7ef8b0bda695..5d6721ec9bf9 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -1101,4 +1101,11 @@ void iommu_debugfs_setup(void);
 static inline void iommu_debugfs_setup(void) {}
 #endif
 
+#ifdef CONFIG_SECURITY
+extern	struct dentry *iommu_securityfs_dir;
+void iommu_securityfs_setup(void);
+#else
+static inline void iommu_securityfs_setup(void) {}
+#endif
+
 #endif /* __LINUX_IOMMU_H */




More information about the iommu mailing list