iommu/amd: Add blocked domain support

Create global blocked domain with attach device ops. It will clear the
DTE so that all DMA from device will be aborted.

Signed-off-by: Vasant Hegde <vasant.hegde@amd.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20240722115452.5976-1-vasant.hegde@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>

diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index b19e8c0f48fa25f1594d983e2f17a23f7571c4a7..87c5385ce3f28621163bd4ade8dfeebd3937f404 100644 (file)
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2462,6 +2462,29 @@ void amd_iommu_domain_free(struct iommu_domain *dom)
        protection_domain_free(domain);
 }
 
+static int blocked_domain_attach_device(struct iommu_domain *domain,
+                                       struct device *dev)
+{
+       struct iommu_dev_data *dev_data = dev_iommu_priv_get(dev);
+
+       if (dev_data->domain)
+               detach_device(dev);
+
+       /* Clear DTE and flush the entry */
+       spin_lock(&dev_data->lock);
+       amd_iommu_dev_update_dte(dev_data, false);
+       spin_unlock(&dev_data->lock);
+
+       return 0;
+}
+
+static struct iommu_domain blocked_domain = {
+       .type = IOMMU_DOMAIN_BLOCKED,
+       .ops = &(const struct iommu_domain_ops) {
+               .attach_dev     = blocked_domain_attach_device,
+       }
+};
+
 static int amd_iommu_attach_device(struct iommu_domain *dom,
                                   struct device *dev)
 {
@@ -2859,6 +2882,7 @@ static int amd_iommu_dev_disable_feature(struct device *dev,
 
 const struct iommu_ops amd_iommu_ops = {
        .capable = amd_iommu_capable,
+       .blocked_domain = &blocked_domain,
        .domain_alloc = amd_iommu_domain_alloc,
        .domain_alloc_user = amd_iommu_domain_alloc_user,
        .domain_alloc_sva = amd_iommu_domain_alloc_sva,