From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763190Ab3IDREy (ORCPT ); Wed, 4 Sep 2013 13:04:54 -0400 Received: from mail-bl2lp0205.outbound.protection.outlook.com ([207.46.163.205]:13176 "EHLO na01-bl2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752276Ab3IDREw (ORCPT ); Wed, 4 Sep 2013 13:04:52 -0400 From: Matthew Garrett To: David Woodhouse CC: "linux-kernel@vger.kernel.org" , "linux-efi@vger.kernel.org" , "keescook@chromium.org" , "hpa@zytor.com" Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Thread-Topic: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Thread-Index: AQHOqQBjqKk67KL8RE6ch/Xxg088dpm1zbuAgAAB+gA= Date: Wed, 4 Sep 2013 17:04:46 +0000 Message-ID: <1378314286.13193.5.camel@x230> References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com> <1378252218-18798-3-git-send-email-matthew.garrett@nebula.com> <1378313861.4210.39.camel@i7.infradead.org> In-Reply-To: <1378313861.4210.39.camel@i7.infradead.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [209.6.207.143] x-forefront-prvs: 095972DF2F x-forefront-antispam-report: SFV:NSPM;SFS:(24454002)(189002)(199002)(377424004)(51704005)(51856001)(66066001)(83072001)(80022001)(33716001)(4396001)(46102001)(59766001)(77982001)(81816001)(65816001)(33646001)(81686001)(81342001)(79102001)(50986001)(47976001)(47736001)(49866001)(54356001)(74876001)(76482001)(81542001)(54316002)(56776001)(63696002)(31966008)(74502001)(74662001)(47446002)(83322001)(19580405001)(74706001)(77096001)(56816003)(76786001)(76796001)(69226001)(74366001)(19580395003)(53806001)(80976001);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR05MB224;H:BY2PR05MB222.namprd05.prod.outlook.com;CLIP:209.6.207.143;RD:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: <7EABBCAC0D106C4BAEE37C8B8314C70B@namprd05.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: nebula.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id r84H4whv024391 On Wed, 2013-09-04 at 17:57 +0100, David Woodhouse wrote: > On Tue, 2013-09-03 at 19:50 -0400, Matthew Garrett wrote: > > Any hardware that can potentially generate DMA has to be locked down from > > userspace in order to avoid it being possible for an attacker to modify > > kernel code, allowing them to circumvent disabled module loading or module > > signing. Default to paranoid - in future we can potentially relax this for > > sufficiently IOMMU-isolated devices. > > Can you elaborate on what you mean by "sufficiently IOMMU-isolated", and > what's missing before we can do that? Do we have in-kernel API to guarantee that a given PCI device is actively isolated by an IOMMU such that it can't modify any host kernel pages that aren't explicitly intended to be writable by the device? That seems to be the biggest constraint. > If a given device is protected by an active IOMMU, and if there's no > driver loaded and hence no active DMA mappings for the device in > question, then we ought to be able to prod at it safely, right? It can't > DMA anywhere anyway. How does virt passthrough work in this case? The current situation appears to be that qemu just passes the BARs through to the guest, and it's the guest that sets things up. We'd need to be able to ensure that there's no way the guest driver can cause DMA into the host kernel. > And there are non-DMA considerations too, aren't there? What about just > writing some fun stuff to a memory BAR and then writing to PCI config to > map that BAR to an address that we can get executed by kernel code? Yes, that's why config space is locked down for now. -- Matthew Garrett {.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Garrett Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Date: Wed, 4 Sep 2013 17:04:46 +0000 Message-ID: <1378314286.13193.5.camel@x230> References: <1378252218-18798-1-git-send-email-matthew.garrett@nebula.com> <1378252218-18798-3-git-send-email-matthew.garrett@nebula.com> <1378313861.4210.39.camel@i7.infradead.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1378313861.4210.39.camel-W2I5cNIroUsVm/YvaOjsyQ@public.gmane.org> Content-Language: en-US Content-ID: <7EABBCAC0D106C4BAEE37C8B8314C70B-HX+pjaQZbrqcE4WynfumptQqCkab/8FMAL8bYrjMMd8@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: David Woodhouse Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org" , "hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org" List-Id: linux-efi@vger.kernel.org T24gV2VkLCAyMDEzLTA5LTA0IGF0IDE3OjU3ICswMTAwLCBEYXZpZCBXb29kaG91c2Ugd3JvdGU6 DQo+IE9uIFR1ZSwgMjAxMy0wOS0wMyBhdCAxOTo1MCAtMDQwMCwgTWF0dGhldyBHYXJyZXR0IHdy b3RlOg0KPiA+IEFueSBoYXJkd2FyZSB0aGF0IGNhbiBwb3RlbnRpYWxseSBnZW5lcmF0ZSBETUEg aGFzIHRvIGJlIGxvY2tlZCBkb3duIGZyb20NCj4gPiB1c2Vyc3BhY2UgaW4gb3JkZXIgdG8gYXZv aWQgaXQgYmVpbmcgcG9zc2libGUgZm9yIGFuIGF0dGFja2VyIHRvIG1vZGlmeQ0KPiA+IGtlcm5l bCBjb2RlLCBhbGxvd2luZyB0aGVtIHRvIGNpcmN1bXZlbnQgZGlzYWJsZWQgbW9kdWxlIGxvYWRp bmcgb3IgbW9kdWxlDQo+ID4gc2lnbmluZy4gRGVmYXVsdCB0byBwYXJhbm9pZCAtIGluIGZ1dHVy ZSB3ZSBjYW4gcG90ZW50aWFsbHkgcmVsYXggdGhpcyBmb3INCj4gPiBzdWZmaWNpZW50bHkgSU9N TVUtaXNvbGF0ZWQgZGV2aWNlcy4NCj4gDQo+IENhbiB5b3UgZWxhYm9yYXRlIG9uIHdoYXQgeW91 IG1lYW4gYnkgInN1ZmZpY2llbnRseSBJT01NVS1pc29sYXRlZCIsIGFuZA0KPiB3aGF0J3MgbWlz c2luZyBiZWZvcmUgd2UgY2FuIGRvIHRoYXQ/DQoNCkRvIHdlIGhhdmUgaW4ta2VybmVsIEFQSSB0 byBndWFyYW50ZWUgdGhhdCBhIGdpdmVuIFBDSSBkZXZpY2UgaXMNCmFjdGl2ZWx5IGlzb2xhdGVk IGJ5IGFuIElPTU1VIHN1Y2ggdGhhdCBpdCBjYW4ndCBtb2RpZnkgYW55IGhvc3Qga2VybmVsDQpw YWdlcyB0aGF0IGFyZW4ndCBleHBsaWNpdGx5IGludGVuZGVkIHRvIGJlIHdyaXRhYmxlIGJ5IHRo ZSBkZXZpY2U/IFRoYXQNCnNlZW1zIHRvIGJlIHRoZSBiaWdnZXN0IGNvbnN0cmFpbnQuDQoNCj4g SWYgYSBnaXZlbiBkZXZpY2UgaXMgcHJvdGVjdGVkIGJ5IGFuIGFjdGl2ZSBJT01NVSwgYW5kIGlm IHRoZXJlJ3Mgbm8NCj4gZHJpdmVyIGxvYWRlZCBhbmQgaGVuY2Ugbm8gYWN0aXZlIERNQSBtYXBw aW5ncyBmb3IgdGhlIGRldmljZSBpbg0KPiBxdWVzdGlvbiwgdGhlbiB3ZSBvdWdodCB0byBiZSBh YmxlIHRvIHByb2QgYXQgaXQgc2FmZWx5LCByaWdodD8gSXQgY2FuJ3QNCj4gRE1BIGFueXdoZXJl IGFueXdheS4NCg0KSG93IGRvZXMgdmlydCBwYXNzdGhyb3VnaCB3b3JrIGluIHRoaXMgY2FzZT8g VGhlIGN1cnJlbnQgc2l0dWF0aW9uDQphcHBlYXJzIHRvIGJlIHRoYXQgcWVtdSBqdXN0IHBhc3Nl cyB0aGUgQkFScyB0aHJvdWdoIHRvIHRoZSBndWVzdCwgYW5kDQppdCdzIHRoZSBndWVzdCB0aGF0 IHNldHMgdGhpbmdzIHVwLiBXZSdkIG5lZWQgdG8gYmUgYWJsZSB0byBlbnN1cmUgdGhhdA0KdGhl cmUncyBubyB3YXkgdGhlIGd1ZXN0IGRyaXZlciBjYW4gY2F1c2UgRE1BIGludG8gdGhlIGhvc3Qg a2VybmVsLg0KDQo+IEFuZCB0aGVyZSBhcmUgbm9uLURNQSBjb25zaWRlcmF0aW9ucyB0b28sIGFy ZW4ndCB0aGVyZT8gV2hhdCBhYm91dCBqdXN0DQo+IHdyaXRpbmcgc29tZSBmdW4gc3R1ZmYgdG8g YSBtZW1vcnkgQkFSIGFuZCB0aGVuIHdyaXRpbmcgdG8gUENJIGNvbmZpZyB0bw0KPiBtYXAgdGhh dCBCQVIgdG8gYW4gYWRkcmVzcyB0aGF0IHdlIGNhbiBnZXQgZXhlY3V0ZWQgYnkga2VybmVsIGNv ZGU/DQoNClllcywgdGhhdCdzIHdoeSBjb25maWcgc3BhY2UgaXMgbG9ja2VkIGRvd24gZm9yIG5v dy4NCg0KLS0gDQpNYXR0aGV3IEdhcnJldHQgPG1hdHRoZXcuZ2FycmV0dEBuZWJ1bGEuY29tPg0K