From: David Woodhouse <dwmw2@infradead.org>
To: Matthew Garrett <matthew.garrett@nebula.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"hpa@zytor.com" <hpa@zytor.com>
Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled
Date: Wed, 04 Sep 2013 20:31:57 +0100 [thread overview]
Message-ID: <1378323117.2627.18.camel@shinybook.infradead.org> (raw)
In-Reply-To: <1378321314.13193.7.camel@x230>
[-- Attachment #1: Type: text/plain, Size: 1259 bytes --]
On Wed, 2013-09-04 at 19:01 +0000, Matthew Garrett wrote:
> But presumably the guest's view of RAM is what gets written to the BARs?
You're talking about the MMIO BARs of the devices which are given to the
guest, right? The register into which we write the 'ring buffer
address', and for that matter also the addresses which are written
*into* that ring buffer, etc.
It is indeed the guest's "physical address" which is written there. The
guest knows nothing of *host* physical addresses.
For the normal MMU, the guest sets up its page tables and, by the magic
of KVM, guest virtual addresses are translated twice — once to guest
*physical* addresses, and then to real physical addresses for stuff to
actually work.
For DMA, the guest hands 'guest physical' addresses directly to the
device. And we've set up the IOMMU to have a mapping of all of guest
physical address space, to the appropriate host physical pages.
> I guess if we know it's constrained then there's no need to restrict the
> addresses that can be set - we know that they'll be unable to overlap
> the host RAM.
There is no need to restrict the addresses that can be set. The only
addresses it can reach are pages which belong to the guest.
--
dwmw2
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5745 bytes --]
next prev parent reply other threads:[~2013-09-04 19:32 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-03 23:50 Matthew Garrett
2013-09-03 23:50 ` [PATCH V3 01/11] Add secure_modules() call Matthew Garrett
2013-09-04 0:45 ` James Morris
2013-09-05 2:14 ` joeyli
2013-09-03 23:50 ` [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Matthew Garrett
2013-09-04 0:45 ` James Morris
2013-09-04 16:57 ` David Woodhouse
2013-09-04 17:04 ` Matthew Garrett
2013-09-04 18:58 ` David Woodhouse
2013-09-04 19:01 ` Matthew Garrett
2013-09-04 19:31 ` David Woodhouse [this message]
2013-09-03 23:50 ` [PATCH V3 03/11] x86: Lock down IO port " Matthew Garrett
2013-09-04 0:45 ` James Morris
2013-09-05 3:52 ` H. Peter Anvin
2013-09-05 3:58 ` Matthew Garrett
2013-09-05 15:36 ` H. Peter Anvin
2013-09-03 23:50 ` [PATCH V3 04/11] ACPI: Limit access to custom_method Matthew Garrett
2013-09-04 0:46 ` James Morris
2013-09-03 23:50 ` [PATCH V3 05/11] asus-wmi: Restrict debugfs interface when module loading is restricted Matthew Garrett
2013-09-04 0:46 ` James Morris
2013-09-03 23:50 ` [PATCH V3 06/11] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2013-09-04 0:47 ` James Morris
2013-09-03 23:50 ` [PATCH V3 07/11] acpi: Ignore acpi_rsdp kernel parameter " Matthew Garrett
2013-09-03 23:50 ` [PATCH V3 08/11] kexec: Disable at runtime if the kernel enforces module loading restrictions Matthew Garrett
2013-09-04 0:48 ` James Morris
2013-09-04 20:09 ` jerry.hoemann
2013-09-04 20:12 ` Matthew Garrett
2013-09-04 20:14 ` Josh Boyer
2013-09-08 6:40 ` Greg KH
2013-09-08 6:44 ` Matthew Garrett
2013-09-08 7:24 ` Greg KH
2013-09-08 14:40 ` Matthew Garrett
2013-09-08 15:51 ` Kees Cook
2013-09-08 16:18 ` Greg KH
2013-09-08 16:24 ` Matthew Garrett
2013-09-08 16:39 ` Greg KH
2013-09-08 16:59 ` Matthew Garrett
2013-09-08 17:22 ` Greg KH
2013-09-08 17:25 ` Matthew Garrett
2013-09-08 17:11 ` James Bottomley
2013-09-08 17:15 ` Matthew Garrett
2013-09-08 17:22 ` James Bottomley
2013-09-08 17:27 ` Matthew Garrett
2013-09-08 17:32 ` James Bottomley
2013-09-08 17:38 ` Matthew Garrett
2013-09-03 23:50 ` [PATCH V3 09/11] uswsusp: Disable when module loading is restricted Matthew Garrett
2013-09-04 0:48 ` James Morris
2013-09-05 3:20 ` joeyli
2013-09-03 23:50 ` [PATCH V3 10/11] x86: Restrict MSR access " Matthew Garrett
2013-09-04 0:49 ` James Morris
2013-09-03 23:50 ` [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode Matthew Garrett
2013-09-04 1:42 ` James Morris
2013-09-04 1:42 ` Matthew Garrett
2013-09-05 3:13 ` joeyli
2013-09-05 8:24 ` joeyli
2013-09-05 10:16 ` Matt Fleming
2013-09-05 12:54 ` Matthew Garrett
2013-09-04 15:53 ` Kees Cook
2013-09-04 16:05 ` Re: Josh Boyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1378323117.2627.18.camel@shinybook.infradead.org \
--to=dwmw2@infradead.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).