linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/3] Add support for privileged mappings
@ 2016-07-06 23:51 Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 1/3] iommu: add IOMMU_PRIV attribute Mitchel Humpherys
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: Mitchel Humpherys @ 2016-07-06 23:51 UTC (permalink / raw)
  To: linux-arm-kernel

The following patch to the ARM SMMU driver:

    commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
    Author: Robin Murphy <robin.murphy@arm.com>
    Date:   Tue Jan 26 18:06:34 2016 +0000
    
        iommu/arm-smmu: Treat all device transactions as unprivileged

started forcing all SMMU transactions to come through as "unprivileged".
The rationale given was that:

  (1) There is no way in the IOMMU API to even request privileged mappings.

  (2) It's difficult to implement a DMA mapper that correctly models the
      ARM VMSAv8 behavior of unprivileged-writeable =>
      privileged-execute-never.

This series attempts to rectify (1) by introducing an IOMMU API for
privileged mappings (and implementing it in io-pgtable-arm).  It seems like
(2) can be safely ignored for now under the assumption that any users of
the IOMMU_PRIV flag will be using the low-level IOMMU APIs directly, rather
than going through the DMA APIs.

Robin, Will, what do you think?  Jordan and Jeremy can provide more info on
the use case if needed, but the high level is that it's a security feature
to prevent attacks such as [1].

[1] https://github.com/robclark/kilroy


Jeremy Gebben (1):
  iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag

Mitchel Humpherys (2):
  iommu: add IOMMU_PRIV attribute
  Revert "iommu/arm-smmu: Treat all device transactions as unprivileged"

 drivers/iommu/arm-smmu.c       |  5 +----
 drivers/iommu/io-pgtable-arm.c | 16 +++++++++++-----
 include/linux/iommu.h          |  1 +
 3 files changed, 13 insertions(+), 9 deletions(-)

-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/3] iommu: add IOMMU_PRIV attribute
  2016-07-06 23:51 [PATCH 0/3] Add support for privileged mappings Mitchel Humpherys
@ 2016-07-06 23:51 ` Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 2/3] iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag Mitchel Humpherys
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 7+ messages in thread
From: Mitchel Humpherys @ 2016-07-06 23:51 UTC (permalink / raw)
  To: linux-arm-kernel

Add the IOMMU_PRIV attribute, which is used to indicate privileged
mappings.

Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
---
 include/linux/iommu.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index 664683aedcce..01c9f2667f2b 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -31,6 +31,7 @@
 #define IOMMU_CACHE	(1 << 2) /* DMA cache coherency */
 #define IOMMU_NOEXEC	(1 << 3)
 #define IOMMU_MMIO	(1 << 4) /* e.g. things like MSI doorbells */
+#define IOMMU_PRIV	(1 << 5)
 
 struct iommu_ops;
 struct iommu_group;
-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 2/3] iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag
  2016-07-06 23:51 [PATCH 0/3] Add support for privileged mappings Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 1/3] iommu: add IOMMU_PRIV attribute Mitchel Humpherys
@ 2016-07-06 23:51 ` Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 3/3] Revert "iommu/arm-smmu: Treat all device transactions as unprivileged" Mitchel Humpherys
  2016-07-07 17:00 ` [PATCH 0/3] Add support for privileged mappings Will Deacon
  3 siblings, 0 replies; 7+ messages in thread
From: Mitchel Humpherys @ 2016-07-06 23:51 UTC (permalink / raw)
  To: linux-arm-kernel

From: Jeremy Gebben <jgebben@codeaurora.org>

Allow the creation of privileged mode mappings, for stage 1 only.

Signed-off-by: Jeremy Gebben <jgebben@codeaurora.org>
---
 drivers/iommu/io-pgtable-arm.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index a1ed1b73fed4..e9e7dd179708 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -101,8 +101,10 @@
 					 ARM_LPAE_PTE_ATTR_HI_MASK)
 
 /* Stage-1 PTE */
-#define ARM_LPAE_PTE_AP_UNPRIV		(((arm_lpae_iopte)1) << 6)
-#define ARM_LPAE_PTE_AP_RDONLY		(((arm_lpae_iopte)2) << 6)
+#define ARM_LPAE_PTE_AP_PRIV_RW		(((arm_lpae_iopte)0) << 6)
+#define ARM_LPAE_PTE_AP_RW		(((arm_lpae_iopte)1) << 6)
+#define ARM_LPAE_PTE_AP_PRIV_RO		(((arm_lpae_iopte)2) << 6)
+#define ARM_LPAE_PTE_AP_RO		(((arm_lpae_iopte)3) << 6)
 #define ARM_LPAE_PTE_ATTRINDX_SHIFT	2
 #define ARM_LPAE_PTE_nG			(((arm_lpae_iopte)1) << 11)
 
@@ -350,10 +352,14 @@ static arm_lpae_iopte arm_lpae_prot_to_pte(struct arm_lpae_io_pgtable *data,
 
 	if (data->iop.fmt == ARM_64_LPAE_S1 ||
 	    data->iop.fmt == ARM_32_LPAE_S1) {
-		pte = ARM_LPAE_PTE_AP_UNPRIV | ARM_LPAE_PTE_nG;
+		pte = ARM_LPAE_PTE_nG;
 
-		if (!(prot & IOMMU_WRITE) && (prot & IOMMU_READ))
-			pte |= ARM_LPAE_PTE_AP_RDONLY;
+		if (prot & IOMMU_WRITE)
+			pte |= (prot & IOMMU_PRIV) ? ARM_LPAE_PTE_AP_PRIV_RW
+					: ARM_LPAE_PTE_AP_RW;
+		else
+			pte |= (prot & IOMMU_PRIV) ? ARM_LPAE_PTE_AP_PRIV_RO
+					: ARM_LPAE_PTE_AP_RO;
 
 		if (prot & IOMMU_MMIO)
 			pte |= (ARM_LPAE_MAIR_ATTR_IDX_DEV
-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 3/3] Revert "iommu/arm-smmu: Treat all device transactions as unprivileged"
  2016-07-06 23:51 [PATCH 0/3] Add support for privileged mappings Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 1/3] iommu: add IOMMU_PRIV attribute Mitchel Humpherys
  2016-07-06 23:51 ` [PATCH 2/3] iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag Mitchel Humpherys
@ 2016-07-06 23:51 ` Mitchel Humpherys
  2016-07-07 17:00 ` [PATCH 0/3] Add support for privileged mappings Will Deacon
  3 siblings, 0 replies; 7+ messages in thread
From: Mitchel Humpherys @ 2016-07-06 23:51 UTC (permalink / raw)
  To: linux-arm-kernel

This reverts commit (d346180e70b91b3d: "iommu/arm-smmu: Treat all device
transactions as unprivileged") since some platforms actually make use of
privileged transactions.

Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
---
 drivers/iommu/arm-smmu.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
index 9345a3fcb706..d0627ef26b05 100644
--- a/drivers/iommu/arm-smmu.c
+++ b/drivers/iommu/arm-smmu.c
@@ -178,9 +178,6 @@
 #define S2CR_TYPE_BYPASS		(1 << S2CR_TYPE_SHIFT)
 #define S2CR_TYPE_FAULT			(2 << S2CR_TYPE_SHIFT)
 
-#define S2CR_PRIVCFG_SHIFT		24
-#define S2CR_PRIVCFG_UNPRIV		(2 << S2CR_PRIVCFG_SHIFT)
-
 /* Context bank attribute registers */
 #define ARM_SMMU_GR1_CBAR(n)		(0x0 + ((n) << 2))
 #define CBAR_VMID_SHIFT			0
@@ -1175,7 +1172,7 @@ static int arm_smmu_domain_add_master(struct arm_smmu_domain *smmu_domain,
 		u32 idx, s2cr;
 
 		idx = cfg->smrs ? cfg->smrs[i].idx : cfg->streamids[i];
-		s2cr = S2CR_TYPE_TRANS | S2CR_PRIVCFG_UNPRIV |
+		s2cr = S2CR_TYPE_TRANS |
 		       (smmu_domain->cfg.cbndx << S2CR_CBNDX_SHIFT);
 		writel_relaxed(s2cr, gr0_base + ARM_SMMU_GR0_S2CR(idx));
 	}
-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH 0/3] Add support for privileged mappings
  2016-07-06 23:51 [PATCH 0/3] Add support for privileged mappings Mitchel Humpherys
                   ` (2 preceding siblings ...)
  2016-07-06 23:51 ` [PATCH 3/3] Revert "iommu/arm-smmu: Treat all device transactions as unprivileged" Mitchel Humpherys
@ 2016-07-07 17:00 ` Will Deacon
  2016-07-07 20:58   ` Jordan Crouse
  3 siblings, 1 reply; 7+ messages in thread
From: Will Deacon @ 2016-07-07 17:00 UTC (permalink / raw)
  To: linux-arm-kernel

On Wed, Jul 06, 2016 at 04:51:33PM -0700, Mitchel Humpherys wrote:
> The following patch to the ARM SMMU driver:
> 
>     commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
>     Author: Robin Murphy <robin.murphy@arm.com>
>     Date:   Tue Jan 26 18:06:34 2016 +0000
>     
>         iommu/arm-smmu: Treat all device transactions as unprivileged
> 
> started forcing all SMMU transactions to come through as "unprivileged".
> The rationale given was that:
> 
>   (1) There is no way in the IOMMU API to even request privileged mappings.
> 
>   (2) It's difficult to implement a DMA mapper that correctly models the
>       ARM VMSAv8 behavior of unprivileged-writeable =>
>       privileged-execute-never.
> 
> This series attempts to rectify (1) by introducing an IOMMU API for
> privileged mappings (and implementing it in io-pgtable-arm).  It seems like
> (2) can be safely ignored for now under the assumption that any users of
> the IOMMU_PRIV flag will be using the low-level IOMMU APIs directly, rather
> than going through the DMA APIs.
> 
> Robin, Will, what do you think?  Jordan and Jeremy can provide more info on
> the use case if needed, but the high level is that it's a security feature
> to prevent attacks such as [1].

So I think the problem that the offending patch tried to fix is that
the PL330 DMA controller (drivers/dma/pl330.c) uses dma_alloc_coherent
to allocate its microcode buffer, but the so-called "manager" thread
that fetches the microcode does so with privileged accesses and
consequently fails.

Whilst this series is a step in the right direction for fixing that, I
don't think you can claim that only low-level users need this, given that
we have in-tree code which would break without it. Perhaps you just need
to extend things slightly more to expose this to the DMA API as well (or,
alternatively, hack the PL330 driver some how).

Will

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 0/3] Add support for privileged mappings
  2016-07-07 17:00 ` [PATCH 0/3] Add support for privileged mappings Will Deacon
@ 2016-07-07 20:58   ` Jordan Crouse
  2016-07-09  2:09     ` Mitchel Humpherys
  0 siblings, 1 reply; 7+ messages in thread
From: Jordan Crouse @ 2016-07-07 20:58 UTC (permalink / raw)
  To: linux-arm-kernel

On Thu, Jul 07, 2016 at 06:00:26PM +0100, Will Deacon wrote:
> On Wed, Jul 06, 2016 at 04:51:33PM -0700, Mitchel Humpherys wrote:
> > The following patch to the ARM SMMU driver:
> > 
> >     commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
> >     Author: Robin Murphy <robin.murphy@arm.com>
> >     Date:   Tue Jan 26 18:06:34 2016 +0000
> >     
> >         iommu/arm-smmu: Treat all device transactions as unprivileged
> > 
> > started forcing all SMMU transactions to come through as "unprivileged".
> > The rationale given was that:
> > 
> >   (1) There is no way in the IOMMU API to even request privileged mappings.
> > 
> >   (2) It's difficult to implement a DMA mapper that correctly models the
> >       ARM VMSAv8 behavior of unprivileged-writeable =>
> >       privileged-execute-never.
> > 
> > This series attempts to rectify (1) by introducing an IOMMU API for
> > privileged mappings (and implementing it in io-pgtable-arm).  It seems like
> > (2) can be safely ignored for now under the assumption that any users of
> > the IOMMU_PRIV flag will be using the low-level IOMMU APIs directly, rather
> > than going through the DMA APIs.
> > 
> > Robin, Will, what do you think?  Jordan and Jeremy can provide more info on
> > the use case if needed, but the high level is that it's a security feature
> > to prevent attacks such as [1].
> 
> So I think the problem that the offending patch tried to fix is that
> the PL330 DMA controller (drivers/dma/pl330.c) uses dma_alloc_coherent
> to allocate its microcode buffer, but the so-called "manager" thread
> that fetches the microcode does so with privileged accesses and
> consequently fails.
 
Not surprisingly the GPU works almost exactly the same way. The microcode does a
privileged access of certain buffers. The difference is that we use the IOMMU
API directly instead of going through the DMA api. Obviously the GPU can work
as is with the unprivileged transaction patch but it does leave largish
blocks of memory open to possible attacks as Mitch pointed out.

> Whilst this series is a step in the right direction for fixing that, I
> don't think you can claim that only low-level users need this, given that
> we have in-tree code which would break without it. Perhaps you just need
> to extend things slightly more to expose this to the DMA API as well (or,
> alternatively, hack the PL330 driver some how).

I agree that hacking the DMA api would be the best long term solution but there
be dragons there. Perhaps a workable compromise might be to white-list
privileged aware devices via the device tree.

Jordan
-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 0/3] Add support for privileged mappings
  2016-07-07 20:58   ` Jordan Crouse
@ 2016-07-09  2:09     ` Mitchel Humpherys
  0 siblings, 0 replies; 7+ messages in thread
From: Mitchel Humpherys @ 2016-07-09  2:09 UTC (permalink / raw)
  To: linux-arm-kernel

On Thu, Jul 07 2016 at 02:58:21 PM, Jordan Crouse <jcrouse@codeaurora.org> wrote:
>> Whilst this series is a step in the right direction for fixing that, I
>> don't think you can claim that only low-level users need this, given that
>> we have in-tree code which would break without it. Perhaps you just need
>> to extend things slightly more to expose this to the DMA API as well (or,
>> alternatively, hack the PL330 driver some how).
>
> I agree that hacking the DMA api would be the best long term solution but there
> be dragons there. Perhaps a workable compromise might be to white-list
> privileged aware devices via the device tree.

I'm sending a v2 with an attempt at plumbing this through the DMA layer.
Hopefully avoiding dragons while I'm at it :)


-Mitch

-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2016-07-09  2:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-06 23:51 [PATCH 0/3] Add support for privileged mappings Mitchel Humpherys
2016-07-06 23:51 ` [PATCH 1/3] iommu: add IOMMU_PRIV attribute Mitchel Humpherys
2016-07-06 23:51 ` [PATCH 2/3] iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag Mitchel Humpherys
2016-07-06 23:51 ` [PATCH 3/3] Revert "iommu/arm-smmu: Treat all device transactions as unprivileged" Mitchel Humpherys
2016-07-07 17:00 ` [PATCH 0/3] Add support for privileged mappings Will Deacon
2016-07-07 20:58   ` Jordan Crouse
2016-07-09  2:09     ` Mitchel Humpherys

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).