From: Lu Baolu <baolu.lu@linux.intel.com>
To: David Woodhouse <dwmw2@infradead.org>,
Joerg Roedel <joro@8bytes.org>,
ashok.raj@intel.com, jacob.jun.pan@intel.com, alan.cox@intel.com,
kevin.tian@intel.com, mika.westerberg@linux.intel.com,
pengfei.xu@intel.com
Cc: baolu.lu@linux.intel.com, iommu@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 0/9] Bounce buffer for untrusted devices
Date: Tue, 12 Mar 2019 14:07:23 +0800 [thread overview]
Message-ID: <b818f647-766e-71f0-779e-1c997fd6a144@linux.intel.com> (raw)
In-Reply-To: <20190312060005.12189-1-baolu.lu@linux.intel.com>
Should be titled as "iommu/vt-d: Bounce buffer for untrusted devices".
Sorry for the inconvenience.
On 3/12/19 1:59 PM, Lu Baolu wrote:
> An external PCI device is a PCI peripheral device connected
> to the system through an external bus, such as Thunderbolt.
> What makes it different is that it can't be trusted to the
> same degree as the devices build into the system. Generally,
> a trusted PCIe device will DMA into the designated buffers
> and not overrun or otherwise write outside the specified
> bounds. But it's different for an external device. The minimum
> IOMMU mapping granularity is one page (4k), so for DMA transfers
> smaller than that a malicious PCIe device can access the whole
> page of memory even if it does not belong to the driver in
> question. This opens a possibility for DMA attack. For more
> information about DMA attacks imposed by an untrusted PCI/PCIe
> device, please refer to [2].
>
> This implements bounce buffer for the untrusted external
> devices. The transfers should be limited in isolated pages
> so the IOMMU window does not cover memory outside of what
> the driver expects. Full pages within a buffer could be
> directly mapped in IOMMU page table, but for partial pages
> we use bounce page instead.
>
> In addition, the IOMMU mappings cached in the IOTLB for
> untrusted devices should be invalidated immediately after
> the unmap operation. Otherwise, the IOMMU window is left
> open to attacks.
>
> The implementation of bounce buffers for untrusted devices
> will cause a little performance overhead, but we didn't see
> any user experience problems. The users could use the kernel
> parameter of "intel_iommu=nobounce" to remove the performance
> overhead if they trust their devices enough.
>
> The Thunderbolt vulnerabiltiies is public and has a nice
> name as Thunderclap nowadays. Please refer to [1] [3] for
> more information. This patch series aims to mitigate the
> concerns.
>
> The bounce buffer idea:
>
> Based-on-idea-by: Mika Westerberg <mika.westerberg@intel.com>
> Based-on-idea-by: Ashok Raj <ashok.raj@intel.com>
> Based-on-idea-by: Alan Cox <alan.cox@intel.com>
>
> The patch series has been tested by:
>
> Tested-by: Xu Pengfei <pengfei.xu@intel.com>
> Tested-by: Mika Westerberg <mika.westerberg@intel.com>
>
> [1] https://thunderclap.io/
> [2] https://thunderclap.io/thunderclap-paper-ndss2019.pdf
> [3] https://christian.kellner.me/2019/02/27/thunderclap-and-linux/
>
> Lu Baolu (9):
> iommu/vt-d: Add trace events for domain map/unmap
> iommu/vt-d: Add helpers for domain mapping/unmapping
> iommu/vt-d: Add address walk helper
> iommu/vt-d: Add bounce buffer API for domain map/unmap
> iommu/vt-d: Add bounce buffer API for dma sync
> iommu/vt-d: Check whether device requires bounce buffer
> iommu/vt-d: Add dma sync ops for untrusted devices
> iommu/vt-d: Flush IOTLB for untrusted device in time
> iommu/vt-d: Use bounce buffer for untrusted devices
>
> .../admin-guide/kernel-parameters.txt | 5 +
> drivers/iommu/Makefile | 1 +
> drivers/iommu/intel-iommu.c | 360 ++++++++++--
> drivers/iommu/intel-pgtable.c | 518 ++++++++++++++++++
> drivers/iommu/intel-trace.c | 14 +
> include/linux/intel-iommu.h | 24 +
> include/trace/events/intel_iommu.h | 132 +++++
> 7 files changed, 1010 insertions(+), 44 deletions(-)
> create mode 100644 drivers/iommu/intel-pgtable.c
> create mode 100644 drivers/iommu/intel-trace.c
> create mode 100644 include/trace/events/intel_iommu.h
>
prev parent reply other threads:[~2019-03-12 6:07 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-12 5:59 [PATCH v1 0/9] Bounce buffer for untrusted devices Lu Baolu
2019-03-12 5:59 ` [PATCH v1 1/9] iommu/vt-d: Add trace events for domain map/unmap Lu Baolu
2019-03-12 5:59 ` [PATCH v1 2/9] iommu/vt-d: Add helpers for domain mapping/unmapping Lu Baolu
2019-03-12 5:59 ` [PATCH v1 3/9] iommu/vt-d: Add address walk helper Lu Baolu
[not found] ` <20190312060005.12189-1-baolu.lu-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2019-03-12 6:00 ` [PATCH v1 4/9] iommu/vt-d: Add bounce buffer API for domain map/unmap Lu Baolu
2019-03-12 16:38 ` Christoph Hellwig
2019-03-13 2:04 ` Lu Baolu
[not found] ` <e653341d-e001-7262-740b-2262842be06d-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2019-03-13 2:31 ` Lu Baolu
[not found] ` <c9fe7879-569e-b4f4-d6ec-47ab7e6fd443-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2019-03-13 16:10 ` Christoph Hellwig
[not found] ` <20190313161029.GA23513-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2019-03-14 1:01 ` Lu Baolu
2019-03-19 7:59 ` Lu Baolu
2019-03-19 11:21 ` Robin Murphy
2019-03-12 6:00 ` [PATCH v1 5/9] iommu/vt-d: Add bounce buffer API for dma sync Lu Baolu
2019-03-12 6:00 ` [PATCH v1 6/9] iommu/vt-d: Check whether device requires bounce buffer Lu Baolu
2019-03-12 6:00 ` [PATCH v1 7/9] iommu/vt-d: Add dma sync ops for untrusted devices Lu Baolu
2019-03-12 6:00 ` [PATCH v1 8/9] iommu/vt-d: Flush IOTLB for untrusted device in time Lu Baolu
2019-03-12 6:00 ` [PATCH v1 9/9] iommu/vt-d: Use bounce buffer for untrusted devices Lu Baolu
2019-03-12 6:07 ` Lu Baolu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b818f647-766e-71f0-779e-1c997fd6a144@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=alan.cox@intel.com \
--cc=ashok.raj@intel.com \
--cc=dwmw2@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.jun.pan@intel.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=pengfei.xu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).