From: Ard Biesheuvel <firstname.lastname@example.org> To: Matthew Garrett <email@example.com>, Laszlo Ersek <firstname.lastname@example.org> Cc: linux-efi <email@example.com>, "the arch/x86 maintainers" <firstname.lastname@example.org>, linux-pci <email@example.com>, Linux Kernel Mailing List <firstname.lastname@example.org> Subject: Re: [PATCH] [EFI,PCI] Allow disabling PCI busmastering on bridges during boot Date: Tue, 3 Dec 2019 11:54:21 +0000 Message-ID: <CAKv+Gu8emrf7WbTyGc8QDykX_hZbrVtxJKkRVbGFhd8rd13yww@mail.gmail.com> (raw) In-Reply-To: <CACdnJus7nHdr4p4H1j5as9eB=FG-uX+wy_tjvTQ5ObErDJHdow@mail.gmail.com> (+ Laszlo) On Tue, 3 Dec 2019 at 00:43, Matthew Garrett <email@example.com> wrote: > > On Mon, Dec 2, 2019 at 4:40 PM Matthew Garrett > <firstname.lastname@example.org> wrote: > > > > Add an option to disable the busmaster bit in the control register on > > all PCI bridges before calling ExitBootServices() and passing control to > > the runtime kernel. System firmware may configure the IOMMU to prevent > > malicious PCI devices from being able to attack the OS via DMA. However, > > since firmware can't guarantee that the OS is IOMMU-aware, it will tear > > down IOMMU configuration when ExitBootServices() is called. This leaves > > a window between where a hostile device could still cause damage before > > Linux configures the IOMMU again. > > I don't know enough about ARM to know if this makes sense there as well. Anyone? There is no reason this shouldn't apply to ARM, but disabling bus mastering like that before the drivers themselves get a chance to do so is likely to cause trouble. Network devices or storage controllers that are still running and have live descriptor rings in DMA memory shouldn't get the rug pulled from under their feet like that by blindly disabling the BM attribute on all root ports before their drivers have had the opportunity to do this cleanly. One trick we implemented in EDK2 for memory encryption was to do the following (Laszlo, mind correcting me here if I am remembering this wrong?) - create an event X - register an AtExitBootServices event that signals event X in its handler - in the handler of event X, iterate over all PPBs to clear the bus master attribute - for bonus points, do the same for the PCIe devices themselves, because root ports are known to exist that entirely ignore the BM attribute This way, event X should get handled after all the drivers' EBS event handlers have been called.
next prev parent reply index Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-03 0:40 Matthew Garrett 2019-12-03 0:42 ` Matthew Garrett 2019-12-03 11:54 ` Ard Biesheuvel [this message] 2019-12-03 13:38 ` Laszlo Ersek 2019-12-03 19:36 ` Matthew Garrett 2019-12-03 19:40 ` Matthew Garrett 2019-12-04 7:11 ` Laszlo Ersek 2019-12-04 19:29 ` Matthew Garrett 2019-12-03 15:30 ` Andy Lutomirski 2019-12-03 16:33 ` Ard Biesheuvel 2019-12-03 19:41 ` Matthew Garrett 2019-12-04 19:50 ` Andy Lutomirski 2019-12-04 19:56 ` Matthew Garrett 2019-12-12 15:46 ` Ard Biesheuvel 2019-12-13 21:24 ` Matthew Garrett 2019-12-03 18:23 ` kbuild test robot 2019-12-05 13:04 ` kbuild test robot
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAKv+Gu8emrf7WbTyGc8QDykX_hZbrVtxJKkRVbGFhd8rd13yww@mail.gmail.com \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-PCI Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-pci/0 linux-pci/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-pci linux-pci/ https://lore.kernel.org/linux-pci \ firstname.lastname@example.org public-inbox-index linux-pci Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-pci AGPL code for this site: git clone https://public-inbox.org/public-inbox.git