2019-11-07 04:43:31 +03:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
#ifndef _MEMREGION_H_
|
|
|
|
#define _MEMREGION_H_
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/errno.h>
|
2023-02-10 12:07:02 +03:00
|
|
|
#include <linux/range.h>
|
memregion: Add cpu_cache_invalidate_memregion() interface
With CXL security features, and CXL dynamic provisioning, global CPU
cache flushing nvdimm requirements are no longer specific to that
subsystem, even beyond the scope of security_ops. CXL will need such
semantics for features not necessarily limited to persistent memory.
The functionality this is enabling is to be able to instantaneously
secure erase potentially terabytes of memory at once and the kernel
needs to be sure that none of the data from before the erase is still
present in the cache. It is also used when unlocking a memory device
where speculative reads and firmware accesses could have cached poison
from before the device was unlocked. Lastly this facility is used when
mapping new devices, or new capacity into an established physical
address range. I.e. when the driver switches DeviceA mapping AddressX to
DeviceB mapping AddressX then any cached data from DeviceA:AddressX
needs to be invalidated.
This capability is typically only used once per-boot (for unlock), or
once per bare metal provisioning event (secure erase), like when handing
off the system to another tenant or decommissioning a device. It may
also be used for dynamic CXL region provisioning.
Users must first call cpu_cache_has_invalidate_memregion() to know
whether this functionality is available on the architecture. On x86 this
respects the constraints of when wbinvd() is tolerable. It is already
the case that wbinvd() is problematic to allow in VMs due its global
performance impact and KVM, for example, has been known to just trap and
ignore the call. With confidential computing guest execution of wbinvd()
may even trigger an exception. Given guests should not be messing with
the bare metal address map via CXL configuration changes
cpu_cache_has_invalidate_memregion() returns false in VMs.
While this global cache invalidation facility, is exported to modules,
since NVDIMM and CXL support can be built as a module, it is not for
general use. The intent is that this facility is not available outside
of specific "device-memory" use cases. To make that expectation as clear
as possible the API is scoped to a new "DEVMEM" module namespace that
only the NVDIMM and CXL subsystems are expected to import.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Tested-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Co-developed-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2022-10-28 21:34:04 +03:00
|
|
|
#include <linux/bug.h>
|
2019-11-07 04:43:31 +03:00
|
|
|
|
2019-11-07 04:43:43 +03:00
|
|
|
struct memregion_info {
|
|
|
|
int target_node;
|
2023-02-10 12:07:02 +03:00
|
|
|
struct range range;
|
2019-11-07 04:43:43 +03:00
|
|
|
};
|
|
|
|
|
2019-11-07 04:43:31 +03:00
|
|
|
#ifdef CONFIG_MEMREGION
|
|
|
|
int memregion_alloc(gfp_t gfp);
|
|
|
|
void memregion_free(int id);
|
|
|
|
#else
|
|
|
|
static inline int memregion_alloc(gfp_t gfp)
|
|
|
|
{
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
2022-06-23 23:02:31 +03:00
|
|
|
static inline void memregion_free(int id)
|
2019-11-07 04:43:31 +03:00
|
|
|
{
|
|
|
|
}
|
|
|
|
#endif
|
memregion: Add cpu_cache_invalidate_memregion() interface
With CXL security features, and CXL dynamic provisioning, global CPU
cache flushing nvdimm requirements are no longer specific to that
subsystem, even beyond the scope of security_ops. CXL will need such
semantics for features not necessarily limited to persistent memory.
The functionality this is enabling is to be able to instantaneously
secure erase potentially terabytes of memory at once and the kernel
needs to be sure that none of the data from before the erase is still
present in the cache. It is also used when unlocking a memory device
where speculative reads and firmware accesses could have cached poison
from before the device was unlocked. Lastly this facility is used when
mapping new devices, or new capacity into an established physical
address range. I.e. when the driver switches DeviceA mapping AddressX to
DeviceB mapping AddressX then any cached data from DeviceA:AddressX
needs to be invalidated.
This capability is typically only used once per-boot (for unlock), or
once per bare metal provisioning event (secure erase), like when handing
off the system to another tenant or decommissioning a device. It may
also be used for dynamic CXL region provisioning.
Users must first call cpu_cache_has_invalidate_memregion() to know
whether this functionality is available on the architecture. On x86 this
respects the constraints of when wbinvd() is tolerable. It is already
the case that wbinvd() is problematic to allow in VMs due its global
performance impact and KVM, for example, has been known to just trap and
ignore the call. With confidential computing guest execution of wbinvd()
may even trigger an exception. Given guests should not be messing with
the bare metal address map via CXL configuration changes
cpu_cache_has_invalidate_memregion() returns false in VMs.
While this global cache invalidation facility, is exported to modules,
since NVDIMM and CXL support can be built as a module, it is not for
general use. The intent is that this facility is not available outside
of specific "device-memory" use cases. To make that expectation as clear
as possible the API is scoped to a new "DEVMEM" module namespace that
only the NVDIMM and CXL subsystems are expected to import.
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: x86@kernel.org
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Tested-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Co-developed-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2022-10-28 21:34:04 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* cpu_cache_invalidate_memregion - drop any CPU cached data for
|
|
|
|
* memregions described by @res_desc
|
|
|
|
* @res_desc: one of the IORES_DESC_* types
|
|
|
|
*
|
|
|
|
* Perform cache maintenance after a memory event / operation that
|
|
|
|
* changes the contents of physical memory in a cache-incoherent manner.
|
|
|
|
* For example, device memory technologies like NVDIMM and CXL have
|
|
|
|
* device secure erase, and dynamic region provision that can replace
|
|
|
|
* the memory mapped to a given physical address.
|
|
|
|
*
|
|
|
|
* Limit the functionality to architectures that have an efficient way
|
|
|
|
* to writeback and invalidate potentially terabytes of address space at
|
|
|
|
* once. Note that this routine may or may not write back any dirty
|
|
|
|
* contents while performing the invalidation. It is only exported for
|
|
|
|
* the explicit usage of the NVDIMM and CXL modules in the 'DEVMEM'
|
|
|
|
* symbol namespace on bare platforms.
|
|
|
|
*
|
|
|
|
* Returns 0 on success or negative error code on a failure to perform
|
|
|
|
* the cache maintenance.
|
|
|
|
*/
|
|
|
|
#ifdef CONFIG_ARCH_HAS_CPU_CACHE_INVALIDATE_MEMREGION
|
|
|
|
int cpu_cache_invalidate_memregion(int res_desc);
|
|
|
|
bool cpu_cache_has_invalidate_memregion(void);
|
|
|
|
#else
|
|
|
|
static inline bool cpu_cache_has_invalidate_memregion(void)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int cpu_cache_invalidate_memregion(int res_desc)
|
|
|
|
{
|
|
|
|
WARN_ON_ONCE("CPU cache invalidation required");
|
|
|
|
return -ENXIO;
|
|
|
|
}
|
|
|
|
#endif
|
2019-11-07 04:43:31 +03:00
|
|
|
#endif /* _MEMREGION_H_ */
|