From: Claire Chang <tientzu@chromium.org> To: robh+dt@kernel.org, frowand.list@gmail.com, hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com Cc: treding@nvidia.com, gregkh@linuxfoundation.org, saravanak@google.com, suzuki.poulose@arm.com, dan.j.williams@intel.com, heikki.krogerus@linux.intel.com, bgolaszewski@baylibre.com, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org, drinkcat@chromium.org, tfiga@chromium.org, tientzu@chromium.org Subject: [RFC v2 0/5] Restricted DMA Date: Tue, 28 Jul 2020 13:01:35 +0800 [thread overview] Message-ID: <20200728050140.996974-1-tientzu@chromium.org> (raw) This series implements mitigations for lack of DMA access control on systems without an IOMMU, which could result in the DMA accessing the system memory at unexpected times and/or unexpected addresses, possibly leading to data leakage or corruption. For example, we plan to use the PCI-e bus for Wi-Fi on one MTK platform and that PCI-e bus is not behind an IOMMU. As PCI-e, by design, gives the device full access to system memory, a vulnerability in the Wi-Fi firmware could easily escalate to a full system exploit (remote wifi exploits: [1a], [1b] that shows a full chain of exploits; [2], [3]). To mitigate the security concerns, we introduce restricted DMA. The restricted DMA is implemented by per-device swiotlb and coherent memory pools. The feature on its own provides a basic level of protection against the DMA overwriting buffer contents at unexpected times. However, to protect against general data leakage and system memory corruption, the system needs to provide a way to restrict the DMA to a predefined memory region (this is usually done at firmware level, e.g. in ATF on some ARM platforms). [1a] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html [1b] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html [2] https://blade.tencent.com/en/advisories/qualpwn/ [3] https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-highly-popular-firmware-for-wifi-chips/ Claire Chang (5): swiotlb: Add io_tlb_mem struct swiotlb: Add device swiotlb pool swiotlb: Use device swiotlb pool if available dt-bindings: of: Add plumbing for restricted DMA pool of: Add plumbing for restricted DMA pool .../reserved-memory/reserved-memory.txt | 35 ++ drivers/iommu/intel/iommu.c | 8 +- drivers/of/address.c | 39 ++ drivers/of/device.c | 3 + drivers/of/of_private.h | 6 + drivers/xen/swiotlb-xen.c | 4 +- include/linux/device.h | 4 + include/linux/dma-direct.h | 8 +- include/linux/swiotlb.h | 49 +- kernel/dma/direct.c | 8 +- kernel/dma/swiotlb.c | 418 +++++++++++------- 11 files changed, 393 insertions(+), 189 deletions(-) -- v1: https://lore.kernel.org/patchwork/cover/1271660/ Changes in v2: - build on top of swiotlb 2.28.0.rc0.142.g3c755180ce-goog
WARNING: multiple messages have this Message-ID (diff)
From: Claire Chang <tientzu@chromium.org> To: robh+dt@kernel.org, frowand.list@gmail.com, hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com Cc: devicetree@vger.kernel.org, heikki.krogerus@linux.intel.com, saravanak@google.com, suzuki.poulose@arm.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, bgolaszewski@baylibre.com, iommu@lists.linux-foundation.org, drinkcat@chromium.org, tientzu@chromium.org, dan.j.williams@intel.com, treding@nvidia.com Subject: [RFC v2 0/5] Restricted DMA Date: Tue, 28 Jul 2020 13:01:35 +0800 [thread overview] Message-ID: <20200728050140.996974-1-tientzu@chromium.org> (raw) This series implements mitigations for lack of DMA access control on systems without an IOMMU, which could result in the DMA accessing the system memory at unexpected times and/or unexpected addresses, possibly leading to data leakage or corruption. For example, we plan to use the PCI-e bus for Wi-Fi on one MTK platform and that PCI-e bus is not behind an IOMMU. As PCI-e, by design, gives the device full access to system memory, a vulnerability in the Wi-Fi firmware could easily escalate to a full system exploit (remote wifi exploits: [1a], [1b] that shows a full chain of exploits; [2], [3]). To mitigate the security concerns, we introduce restricted DMA. The restricted DMA is implemented by per-device swiotlb and coherent memory pools. The feature on its own provides a basic level of protection against the DMA overwriting buffer contents at unexpected times. However, to protect against general data leakage and system memory corruption, the system needs to provide a way to restrict the DMA to a predefined memory region (this is usually done at firmware level, e.g. in ATF on some ARM platforms). [1a] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html [1b] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html [2] https://blade.tencent.com/en/advisories/qualpwn/ [3] https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-highly-popular-firmware-for-wifi-chips/ Claire Chang (5): swiotlb: Add io_tlb_mem struct swiotlb: Add device swiotlb pool swiotlb: Use device swiotlb pool if available dt-bindings: of: Add plumbing for restricted DMA pool of: Add plumbing for restricted DMA pool .../reserved-memory/reserved-memory.txt | 35 ++ drivers/iommu/intel/iommu.c | 8 +- drivers/of/address.c | 39 ++ drivers/of/device.c | 3 + drivers/of/of_private.h | 6 + drivers/xen/swiotlb-xen.c | 4 +- include/linux/device.h | 4 + include/linux/dma-direct.h | 8 +- include/linux/swiotlb.h | 49 +- kernel/dma/direct.c | 8 +- kernel/dma/swiotlb.c | 418 +++++++++++------- 11 files changed, 393 insertions(+), 189 deletions(-) -- v1: https://lore.kernel.org/patchwork/cover/1271660/ Changes in v2: - build on top of swiotlb 2.28.0.rc0.142.g3c755180ce-goog _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next reply other threads:[~2020-07-28 5:01 UTC|newest] Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-28 5:01 Claire Chang [this message] 2020-07-28 5:01 ` [RFC v2 0/5] Restricted DMA Claire Chang 2020-07-28 5:01 ` [RFC v2 1/5] swiotlb: Add io_tlb_mem struct Claire Chang 2020-07-28 5:01 ` Claire Chang 2020-07-28 5:01 ` [RFC v2 2/5] swiotlb: Add device swiotlb pool Claire Chang 2020-07-28 5:01 ` Claire Chang 2020-07-28 8:55 ` kernel test robot 2020-07-28 9:47 ` kernel test robot 2020-07-28 5:01 ` [RFC v2 3/5] swiotlb: Use device swiotlb pool if available Claire Chang 2020-07-28 5:01 ` Claire Chang 2020-07-28 6:51 ` kernel test robot 2020-07-28 9:28 ` kernel test robot 2020-07-28 5:01 ` [RFC v2 4/5] dt-bindings: of: Add plumbing for restricted DMA pool Claire Chang 2020-07-28 5:01 ` Claire Chang 2020-07-31 20:58 ` Rob Herring 2020-07-31 20:58 ` Rob Herring 2020-08-03 14:26 ` Claire Chang 2020-08-03 14:26 ` Claire Chang 2020-08-03 15:15 ` Tomasz Figa 2020-08-03 15:15 ` Tomasz Figa 2020-08-11 9:15 ` Tomasz Figa 2020-08-11 9:15 ` Tomasz Figa 2020-08-24 17:24 ` Tomasz Figa 2020-08-24 17:24 ` Tomasz Figa 2020-09-08 9:49 ` Claire Chang 2020-09-08 9:49 ` Claire Chang 2020-07-28 5:01 ` [RFC v2 5/5] " Claire Chang 2020-07-28 5:01 ` Claire Chang 2020-07-28 9:48 ` kernel test robot 2020-07-28 11:59 ` [RFC v2 0/5] Restricted DMA Claire Chang 2020-07-28 11:59 ` Claire Chang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200728050140.996974-1-tientzu@chromium.org \ --to=tientzu@chromium.org \ --cc=bgolaszewski@baylibre.com \ --cc=dan.j.williams@intel.com \ --cc=devicetree@vger.kernel.org \ --cc=drinkcat@chromium.org \ --cc=frowand.list@gmail.com \ --cc=gregkh@linuxfoundation.org \ --cc=hch@lst.de \ --cc=heikki.krogerus@linux.intel.com \ --cc=iommu@lists.linux-foundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=m.szyprowski@samsung.com \ --cc=robh+dt@kernel.org \ --cc=robin.murphy@arm.com \ --cc=saravanak@google.com \ --cc=suzuki.poulose@arm.com \ --cc=tfiga@chromium.org \ --cc=treding@nvidia.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.