From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: dma-mapping: introduce DMA_ATTR_CC_DECRYPTED for pre-decrypted memory
Date: Wed, 11 Feb 2026 16:59:18 +1000 [thread overview]
Message-ID: <review-patch2-20260209153809.250835-3-jiri@resnulli.us> (raw)
In-Reply-To: <20260209153809.250835-3-jiri@resnulli.us>
Patch Review
**Subject**: `dma-mapping: introduce DMA_ATTR_CC_DECRYPTED for pre-decrypted memory`
**Files Modified**: `include/linux/dma-mapping.h`, `include/trace/events/dma.h`, `kernel/dma/direct.h`
**Verdict**: ⚠️ **Needs discussion** (technically sound but questions remain)
#### Technical Review
Introduces a new DMA attribute bit (bit 11) to indicate memory has been explicitly decrypted via `set_memory_decrypted()`.
**API Design** (include/linux/dma-mapping.h:405-410):
```c
+/*
+ * DMA_ATTR_CC_DECRYPTED: Indicates memory that has been explicitly decrypted
+ * (shared) for confidential computing guests. The caller must have
+ * called set_memory_decrypted(). A struct page is required.
+ */
+#define DMA_ATTR_CC_DECRYPTED (1UL << 11)
```
**Implementation Logic** (kernel/dma/direct.h:436-448):
The patch modifies `dma_direct_map_phys()` with this logic:
```c
if (is_swiotlb_force_bounce(dev)) {
if (!(attrs & DMA_ATTR_CC_DECRYPTED)) {
if (attrs & DMA_ATTR_MMIO)
return DMA_MAPPING_ERROR;
return swiotlb_map(dev, phys, size, dir, attrs);
}
} else if (attrs & DMA_ATTR_CC_DECRYPTED) {
return DMA_MAPPING_ERROR;
}
```
**Analysis**:
✅ **Correct behavior matrix**:
| Force Bounce | CC_DECRYPTED | MMIO | Action |
|--------------|--------------|------|--------|
| Yes | No | No | swiotlb_map() |
| Yes | No | Yes | ERROR |
| Yes | Yes | - | Skip swiotlb, direct map |
| No | Yes | - | ERROR |
✅ **Rationale is sound**:
- When swiotlb is force-bouncing AND memory is pre-decrypted → can skip bounce buffer
- When swiotlb is NOT force-bouncing AND CC_DECRYPTED is set → error (shouldn't happen)
**Critical Questions**:
1. **Mutual exclusivity**: Can `DMA_ATTR_CC_DECRYPTED` and `DMA_ATTR_MMIO` both be set? The code doesn't explicitly forbid it. In the force-bounce path, if both are set, we skip swiotlb but then what happens in the MMIO handling later?
2. **phys_to_dma_unencrypted() availability**:
```c
+ } else if (attrs & DMA_ATTR_CC_DECRYPTED) {
+ dma_addr = phys_to_dma_unencrypted(dev, phys);
```
Is `phys_to_dma_unencrypted()` available on all architectures? What happens on architectures without CoCo support?
3. **Verification gap**: The comment states "The caller must have called set_memory_decrypted()" but there's no enforcement. This is trust-based. Is that acceptable for security-critical code?
4. **DMA_ATTR_SKIP_CPU_SYNC interaction**: What happens if both `DMA_ATTR_CC_DECRYPTED` and `DMA_ATTR_SKIP_CPU_SYNC` are set?
**Minor Issues**:
- Trace event addition is correct
- Documentation is clear
---
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-02-11 6:59 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 15:38 [PATCH 0/5] dma-buf: heaps: system: add an option to allocate explicitly decrypted memory Jiri Pirko
2026-02-09 15:38 ` [PATCH 1/5] dma-mapping: avoid random addr value print out on error path Jiri Pirko
2026-02-11 6:59 ` Claude review: " Claude Code Review Bot
2026-02-12 11:03 ` [PATCH 1/5] " Marek Szyprowski
2026-02-12 12:52 ` Jiri Pirko
2026-02-09 15:38 ` [PATCH 2/5] dma-mapping: introduce DMA_ATTR_CC_DECRYPTED for pre-decrypted memory Jiri Pirko
2026-02-11 6:59 ` Claude Code Review Bot [this message]
2026-02-09 15:38 ` [PATCH 3/5] dma-buf: heaps: use designated initializer for exp_info Jiri Pirko
2026-02-11 6:59 ` Claude review: " Claude Code Review Bot
2026-02-09 15:38 ` [PATCH 4/5] dma-buf: heaps: allow heap to specify valid heap flags Jiri Pirko
2026-02-09 20:08 ` John Stultz
2026-02-10 0:29 ` Jason Gunthorpe
2026-02-10 9:14 ` Jiri Pirko
2026-02-10 12:43 ` Jason Gunthorpe
2026-02-10 14:49 ` Jiri Pirko
2026-02-10 14:54 ` Jason Gunthorpe
2026-02-10 9:05 ` Jiri Pirko
2026-02-10 12:48 ` Leon Romanovsky
2026-02-10 20:05 ` John Stultz
2026-02-11 6:59 ` Claude review: " Claude Code Review Bot
2026-02-09 15:38 ` [PATCH 5/5] dma-buf: heaps: system: add an option to allocate explicitly decrypted memory Jiri Pirko
2026-02-10 12:02 ` kernel test robot
2026-02-10 18:03 ` kernel test robot
2026-02-11 6:59 ` Claude review: " Claude Code Review Bot
2026-02-11 6:59 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch2-20260209153809.250835-3-jiri@resnulli.us \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox