linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Douglas Anderson <dianders@chromium.org>
Cc: rafael@kernel.org, rafael.j.wysocki@intel.com, will@kernel.org,
	robin.murphy@arm.com, joro@8bytes.org,
	bjorn.andersson@linaro.org, ulf.hansson@linaro.org,
	adrian.hunter@intel.com, bhelgaas@google.com,
	robdclark@chromium.org, linux-arm-msm@vger.kernel.org,
	linux-pci@vger.kernel.org, quic_c_gdjako@quicinc.com,
	iommu@lists.linux-foundation.org, sonnyrao@chromium.org,
	saiprakash.ranjan@codeaurora.org, linux-mmc@vger.kernel.org,
	vbadigan@codeaurora.org, rajatja@google.com,
	saravanak@google.com, joel@joelfernandes.org,
	Andy Gross <agross@kernel.org>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 6/6] mmc: sdhci-msm: Request non-strict IOMMU mode
Date: Thu, 24 Jun 2021 15:43:26 +0200	[thread overview]
Message-ID: <YNSL/r+fOz6KMuwI@kroah.com> (raw)
In-Reply-To: <20210621165230.6.Icde6be7601a5939960caf802056c88cd5132eb4e@changeid>

On Mon, Jun 21, 2021 at 04:52:48PM -0700, Douglas Anderson wrote:
> IOMMUs can be run in "strict" mode or in "non-strict" mode. The
> quick-summary difference between the two is that in "strict" mode we
> wait until everything is flushed out when we unmap DMA memory. In
> "non-strict" we don't.
> 
> Using the IOMMU in "strict" mode is more secure/safer but slower
> because we have to sit and wait for flushes while we're unmapping. To
> explain a bit why "non-strict" mode is unsafe, let's imagine two
> examples.
> 
> An example of "non-strict" being insecure when reading from a device:
> a) Linux driver maps memory for DMA.
> b) Linux driver starts DMA on the device.
> c) Device write to RAM subject to bounds checking done by IOMMU.
> d) Device finishes writing to RAM and signals transfer is finished.
> e) Linux driver starts unmapping DMA memory but doesn't flush.

Why doesn't it "flush"?

> f) Linux driver validates that the data in memory looks sane and that
>    accessing it won't cause the driver to, for instance, overflow a
>    buffer.
> g) Device takes advantage of knowledge of how the Linux driver works
>    and sneaks in a modification to the data after the validation but
>    before the IOMMU unmap flush finishes.
> h) Device has now caused the Linux driver to access memory it
>    shouldn't.

So you are now saying we need to not trust hardware?  If so, that's a
massive switch for how the kernel needs to work right?

And what driver does f) and allows g) to happen?  That would be a normal
bug anyway, why not just fix the driver?

> An example of "non-strict" being insecure when writing to a device:
> a) Linux driver writes data intended for the device to RAM.
> b) Linux driver maps memory for DMA.
> c) Linux driver starts DMA on the device.
> d) Device reads from RAM subject to bounds checking done by IOMMU.
> e) Device finishes reading from RAM and signals transfer is finished.
> f) Linux driver starts unmapping DMA memory but doesn't flush.

Why does it not flush?

What do you mean by "flush"

> g) Linux driver frees memory and returns it to the pool.

What pool?

> h) Memory is allocated for another purpose.

Allocated by what?

We have memory allocators that write over the data when freed, why not
just use this if you are concerned about this type of issue?

> i) Device takes advantage of the period of time before IOMMU flush to
>    read memory that it shouldn't have had access to.

What memory would that be?

And if you really care about these issues, are you not able to take the
"hit" for the flush all the time as that is a hardware thing, not a
software thing.  Why not just always take advantage of that, no driver
changes needed?

And this isn't going to work, again, because the "pre_probe" isn't going
to be acceptable, sorry.

greg k-h

  reply	other threads:[~2021-06-24 13:43 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-21 23:52 [PATCH 0/6] iommu: Enable devices to request non-strict DMA, starting with QCom SD/MMC Douglas Anderson
2021-06-21 23:52 ` [PATCH 1/6] drivers: base: Add the concept of "pre_probe" to drivers Douglas Anderson
2021-06-24 13:35   ` Greg KH
2021-06-21 23:52 ` [PATCH 2/6] drivers: base: Add bits to struct device to control iommu strictness Douglas Anderson
2021-06-24 13:36   ` Greg KH
2021-06-24 13:42     ` Doug Anderson
2021-06-21 23:52 ` [PATCH 3/6] PCI: Indicate that we want to force strict DMA for untrusted devices Douglas Anderson
2021-06-24 13:38   ` Greg KH
2021-06-24 13:46     ` Doug Anderson
2021-06-21 23:52 ` [PATCH 4/6] iommu: Combine device strictness requests with the global default Douglas Anderson
2021-06-22  2:03   ` Lu Baolu
2021-06-22 16:53     ` Doug Anderson
2021-06-22 17:01       ` Doug Anderson
2021-06-22  2:55   ` Saravana Kannan
2021-06-22 16:40     ` Doug Anderson
2021-06-22 19:50       ` Saravana Kannan
2021-06-22 11:49   ` Robin Murphy
2021-06-22 18:45   ` Rajat Jain
2021-06-22 19:35     ` Doug Anderson
2021-06-21 23:52 ` [PATCH 5/6] iommu: Stop reaching into PCIe devices to decide strict vs. non-strict Douglas Anderson
2021-06-21 23:52 ` [PATCH 6/6] mmc: sdhci-msm: Request non-strict IOMMU mode Douglas Anderson
2021-06-24 13:43   ` Greg KH [this message]
2021-06-24 14:00     ` Doug Anderson
2021-06-22 11:35 ` [PATCH 0/6] iommu: Enable devices to request non-strict DMA, starting with QCom SD/MMC Robin Murphy
2021-06-22 16:06   ` Doug Anderson
2021-06-22 20:02     ` Rob Herring
2021-06-22 20:05       ` Saravana Kannan
2021-06-22 20:10         ` Doug Anderson
2021-06-23 13:54           ` Rob Herring
2021-06-22 22:10     ` Robin Murphy
2021-06-23 17:29       ` Doug Anderson
2021-06-24 17:23         ` Doug Anderson
2021-06-22 17:39 ` John Garry
2021-06-22 19:50   ` Doug Anderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YNSL/r+fOz6KMuwI@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=adrian.hunter@intel.com \
    --cc=agross@kernel.org \
    --cc=bhelgaas@google.com \
    --cc=bjorn.andersson@linaro.org \
    --cc=dianders@chromium.org \
    --cc=iommu@lists.linux-foundation.org \
    --cc=joel@joelfernandes.org \
    --cc=joro@8bytes.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=quic_c_gdjako@quicinc.com \
    --cc=rafael.j.wysocki@intel.com \
    --cc=rafael@kernel.org \
    --cc=rajatja@google.com \
    --cc=robdclark@chromium.org \
    --cc=robin.murphy@arm.com \
    --cc=saiprakash.ranjan@codeaurora.org \
    --cc=saravanak@google.com \
    --cc=sonnyrao@chromium.org \
    --cc=ulf.hansson@linaro.org \
    --cc=vbadigan@codeaurora.org \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).