Re: [PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device
Hi, On 6/12/19 9:05 AM, Konrad Rzeszutek Wilk wrote: On Wed, Jun 12, 2019 at 08:43:40AM +0800, Lu Baolu wrote: Hi Konrad, Thanks a lot for your reviewing. On 6/10/19 11:45 PM, Konrad Rzeszutek Wilk wrote: On Mon, Jun 03, 2019 at 09:16:14AM +0800, Lu Baolu wrote: This is necessary to avoid exposing valid kernel data to any milicious device. malicious Yes, thanks. Suggested-by: Christoph Hellwig Signed-off-by: Lu Baolu --- kernel/dma/swiotlb.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index f956f785645a..ed41eb7f6131 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -35,6 +35,7 @@ #include #include #include +#include #ifdef CONFIG_DEBUG_FS #include #endif @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, */ for (i = 0; i < nslots; i++) io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT); + + /* Zero out the bounce buffer if the consumer is untrusted. */ + if (dev_is_untrusted(hwdev)) + memset(phys_to_virt(tlb_addr), 0, alloc_size); What if the alloc_size is less than a PAGE? Should this at least have ALIGN or such? It's the consumer (iommu subsystem) who requires this to be page aligned. For swiotlb, it just clears out all data in the allocated bounce buffer. I am thinking that the if you don't memset the full page the malicious hardware could read stale date from the rest of the page that hasn't been cleared? Yes. My point is that this should be guaranteed by the bounce page implementation in iommu. Best regards, Baolu Best regards, Baolu + if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE); -- 2.17.1
Re: [PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device
On Wed, Jun 12, 2019 at 08:43:40AM +0800, Lu Baolu wrote: > Hi Konrad, > > Thanks a lot for your reviewing. > > On 6/10/19 11:45 PM, Konrad Rzeszutek Wilk wrote: > > On Mon, Jun 03, 2019 at 09:16:14AM +0800, Lu Baolu wrote: > > > This is necessary to avoid exposing valid kernel data to any > > > milicious device. > > > > malicious > > Yes, thanks. > > > > > > > > > Suggested-by: Christoph Hellwig > > > Signed-off-by: Lu Baolu > > > --- > > > kernel/dma/swiotlb.c | 6 ++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c > > > index f956f785645a..ed41eb7f6131 100644 > > > --- a/kernel/dma/swiotlb.c > > > +++ b/kernel/dma/swiotlb.c > > > @@ -35,6 +35,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > #ifdef CONFIG_DEBUG_FS > > > #include > > > #endif > > > @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device > > > *hwdev, > > >*/ > > > for (i = 0; i < nslots; i++) > > > io_tlb_orig_addr[index+i] = orig_addr + (i << > > > IO_TLB_SHIFT); > > > + > > > + /* Zero out the bounce buffer if the consumer is untrusted. */ > > > + if (dev_is_untrusted(hwdev)) > > > + memset(phys_to_virt(tlb_addr), 0, alloc_size); > > > > What if the alloc_size is less than a PAGE? Should this at least have ALIGN > > or such? > > It's the consumer (iommu subsystem) who requires this to be page > aligned. For swiotlb, it just clears out all data in the allocated > bounce buffer. I am thinking that the if you don't memset the full page the malicious hardware could read stale date from the rest of the page that hasn't been cleared? > > Best regards, > Baolu > > > > > > + > > > if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && > > > (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) > > > swiotlb_bounce(orig_addr, tlb_addr, mapping_size, > > > DMA_TO_DEVICE); > > > -- > > > 2.17.1 > > > > >
Re: [PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device
Hi Konrad, Thanks a lot for your reviewing. On 6/10/19 11:45 PM, Konrad Rzeszutek Wilk wrote: On Mon, Jun 03, 2019 at 09:16:14AM +0800, Lu Baolu wrote: This is necessary to avoid exposing valid kernel data to any milicious device. malicious Yes, thanks. Suggested-by: Christoph Hellwig Signed-off-by: Lu Baolu --- kernel/dma/swiotlb.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index f956f785645a..ed41eb7f6131 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -35,6 +35,7 @@ #include #include #include +#include #ifdef CONFIG_DEBUG_FS #include #endif @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, */ for (i = 0; i < nslots; i++) io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT); + + /* Zero out the bounce buffer if the consumer is untrusted. */ + if (dev_is_untrusted(hwdev)) + memset(phys_to_virt(tlb_addr), 0, alloc_size); What if the alloc_size is less than a PAGE? Should this at least have ALIGN or such? It's the consumer (iommu subsystem) who requires this to be page aligned. For swiotlb, it just clears out all data in the allocated bounce buffer. Best regards, Baolu + if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE); -- 2.17.1
Re: [PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device
On Mon, Jun 03, 2019 at 09:16:14AM +0800, Lu Baolu wrote: > This is necessary to avoid exposing valid kernel data to any > milicious device. malicious > > Suggested-by: Christoph Hellwig > Signed-off-by: Lu Baolu > --- > kernel/dma/swiotlb.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c > index f956f785645a..ed41eb7f6131 100644 > --- a/kernel/dma/swiotlb.c > +++ b/kernel/dma/swiotlb.c > @@ -35,6 +35,7 @@ > #include > #include > #include > +#include > #ifdef CONFIG_DEBUG_FS > #include > #endif > @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, >*/ > for (i = 0; i < nslots; i++) > io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT); > + > + /* Zero out the bounce buffer if the consumer is untrusted. */ > + if (dev_is_untrusted(hwdev)) > + memset(phys_to_virt(tlb_addr), 0, alloc_size); What if the alloc_size is less than a PAGE? Should this at least have ALIGN or such? > + > if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && > (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) > swiotlb_bounce(orig_addr, tlb_addr, mapping_size, > DMA_TO_DEVICE); > -- > 2.17.1 > ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
[PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device
This is necessary to avoid exposing valid kernel data to any milicious device. Suggested-by: Christoph Hellwig Signed-off-by: Lu Baolu --- kernel/dma/swiotlb.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index f956f785645a..ed41eb7f6131 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -35,6 +35,7 @@ #include #include #include +#include #ifdef CONFIG_DEBUG_FS #include #endif @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, */ for (i = 0; i < nslots; i++) io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT); + + /* Zero out the bounce buffer if the consumer is untrusted. */ + if (dev_is_untrusted(hwdev)) + memset(phys_to_virt(tlb_addr), 0, alloc_size); + if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE); -- 2.17.1 ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu