linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Luebbers, Enno" <enno.luebbers@intel.com>
To: Jerome Glisse <jglisse@redhat.com>
Cc: Moritz Fischer <moritz.fischer@ettus.com>,
	Wu Hao <hao.wu@intel.com>, Alan Tull <atull@kernel.org>,
	linux-fpga@vger.kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	luwei.kang@intel.com, yi.z.zhang@intel.com
Subject: Re: [PATCH 00/16] Intel FPGA Device Drivers
Date: Fri, 14 Apr 2017 12:48:17 -0700	[thread overview]
Message-ID: <20170414194817.GA27424@eluebber-mac02.jf.intel.com> (raw)
In-Reply-To: <20170412153746.GA17158@redhat.com>

On Wed, Apr 12, 2017 at 11:37:49AM -0400, Jerome Glisse wrote:
> On Wed, Apr 12, 2017 at 07:46:19AM -0700, Moritz Fischer wrote:
> > On Wed, Apr 12, 2017 at 6:29 AM, Jerome Glisse <jglisse@redhat.com> wrote:
> >
> > > It is like if on GPU we only had close source compiler for the GPU
> > > instructions set. So FPGA is definitly following different rules than
> > > open source upstream GPU kernel driver abides to.
> > >
> > > I see this as highly problematic if not only for security purposes
> > > there is no way for anyone to audit how secure and sane the API you
> > > want to expose to userspace. Those FPGA might have connection to
> > > memory bus or device bus and thus they might get access to any memory.
> > 
> > It's up to the user to plug a specific piece of hardware into their
> > machine. After that it is up to the user to decide whether he wants
> > to load a bitstream that he doesn't have the  source code for and
> > that he needs to compile with closed source software. Do you know if
> > NVIDIA has backdoors in their GPU, Intel in their NIC, or AMD in their
> > processor? What about that RTC, do you have the source code they
> > synthesized their ASIC design from?
> 
> User do not always know what program their executing. Think someone browsing
> some random website, through javascript program you might be able to escape
> the web browser and look for fpga device file, if on is present then it
> might be able to load a bitstream that would allow it to overwritte system
> memory and gain root privilege.
> 
> Even if you restrict the ioctl to upload bitstream to root user or some
> privilege user, you have to think about VM world. Someone from inside a
> vm that has access to an fpga device might be able to upload a bitstream
> that would allow to escape the vm and gain root privilege on the host
> operating system.

If you're worried about an accelerator on an FPGA going rogue and accessing
arbitrary host memory, consider that other (non-FPGA) hardware devices could
potentially do that, too (e.g. a PCIe device with a programmable DMA engine).
So this is not really an FPGA-specific concern.

Also, I don't think having an open-source toolchain would help defend against
these kind of attacks at all. Just because you can generate bitstreams with an
open-source tool doesn't prevent the attacker from loading his own bitstreams.
Instead, you'll need to make sure that their bitstream (open-source or not), or,
in fact, any device, is prevented from accessing memory it's not authorized to
access, e.g. with an IOMMU programmed via the kernel's DMA API.

But that's not a toolchain issue.

Thanks
- Enno

  reply	other threads:[~2017-04-14 19:48 UTC|newest]

Thread overview: 93+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-30 12:08 [PATCH 00/16] Intel FPGA Device Drivers Wu Hao
2017-03-30 12:08 ` [PATCH 01/16] docs: fpga: add a document for Intel FPGA driver overview Wu Hao
2017-03-31 18:24   ` matthew.gerlach
2017-03-31 18:38     ` Alan Tull
2017-04-01 11:16       ` Wu Hao
2017-04-02 14:41         ` Moritz Fischer
2017-04-03 20:44           ` Alan Tull
2017-04-04  5:24             ` Wu Hao
2017-04-04  5:06           ` Wu Hao
2017-04-11 18:02           ` Alan Tull
2017-04-12  3:22             ` Wu, Hao
2017-03-30 12:08 ` [PATCH 02/16] fpga: add FPGA device framework Wu Hao
2017-03-31  6:09   ` Greg KH
2017-03-31  7:48     ` Wu Hao
2017-03-31  9:03       ` Greg KH
2017-03-31 12:19         ` Wu Hao
2017-03-31 19:01       ` matthew.gerlach
2017-04-01 12:18         ` Wu Hao
2017-07-25 21:32           ` Alan Tull
2017-07-26  9:50             ` Wu Hao
2017-07-26 14:20               ` Alan Tull
2017-07-26 22:29                 ` Alan Tull
2017-07-27  4:54                   ` Wu Hao
2017-03-31  6:13   ` Greg KH
     [not found]     ` <82D7661F83C1A047AF7DC287873BF1E167C90F1B@SHSMSX101.ccr.corp.intel.com>
2017-03-31 13:31       ` Wu Hao
2017-03-31 14:10         ` Greg KH
2017-04-01 11:36           ` Wu Hao
2017-03-30 12:08 ` [PATCH 03/16] fpga: intel: add FPGA PCIe device driver Wu Hao
2017-04-04  2:10   ` Moritz Fischer
2017-04-05 13:14     ` Wu, Hao
2017-03-30 12:08 ` [PATCH 04/16] fpga: intel: pcie: parse feature list and create platform device for features Wu Hao
2017-04-03 21:44   ` Alan Tull
2017-04-05 11:58     ` Wu Hao
2017-04-11 20:21       ` Alan Tull
2017-04-13  4:12         ` Wu, Hao
2017-04-04  2:44   ` Moritz Fischer
2017-04-05 12:57     ` Wu Hao
2017-04-04 22:09   ` Alan Tull
2017-04-05 14:09     ` Wu Hao
2017-05-04 15:13   ` Li, Yi
2017-05-05  3:03     ` Wu Hao
2017-03-30 12:08 ` [PATCH 05/16] fpga: intel: pcie: add chardev support for feature devices Wu Hao
2017-03-30 12:08 ` [PATCH 06/16] fpga: intel: pcie: adds fpga_for_each_port callback for fme device Wu Hao
2017-03-30 12:08 ` [PATCH 07/16] fpga: intel: add feature device infrastructure Wu Hao
2017-03-30 12:08 ` [PATCH 08/16] fpga: intel: add FPGA Management Engine driver basic framework Wu Hao
2017-03-30 12:08 ` [PATCH 09/16] fpga: intel: fme: add header sub feature support Wu Hao
2017-03-30 12:08 ` [PATCH 10/16] fpga: intel: fme: add FPGA_GET_API_VERSION/CHECK_EXTENSION ioctls support Wu Hao
2017-03-30 12:08 ` [PATCH 11/16] fpga: intel: fme: add partial reconfiguration sub feature support Wu Hao
2017-03-30 20:30   ` Alan Tull
2017-03-31  4:11     ` Xiao Guangrong
2017-03-31  8:50       ` Wu Hao
2017-04-03 20:26         ` Alan Tull
2017-04-04  5:25           ` Wu Hao
2017-03-31 19:10   ` Alan Tull
2017-04-01 11:08     ` Wu Hao
2017-04-03 16:30       ` Alan Tull
2017-04-04  6:05         ` Wu Hao
2017-04-04 22:37           ` Alan Tull
2017-04-05 11:40             ` Wu, Hao
2017-04-05 15:26               ` Alan Tull
2017-04-05 15:39                 ` Alan Tull
2017-04-06 10:57                   ` Wu Hao
2017-04-06 19:27                     ` Alan Tull
2017-04-07  5:56                       ` Wu Hao
2017-03-31 23:45   ` kbuild test robot
2017-04-01  1:12   ` kbuild test robot
2017-04-03 21:24   ` Alan Tull
2017-04-03 22:49     ` matthew.gerlach
2017-04-04  6:48       ` Wu Hao
2017-04-04  6:28     ` Wu Hao
2017-03-30 12:08 ` [PATCH 12/16] fpga: intel: add FPGA Accelerated Function Unit driver basic framework Wu Hao
2017-03-30 12:08 ` [PATCH 13/16] fpga: intel: afu: add header sub feature support Wu Hao
2017-03-30 12:08 ` [PATCH 14/16] fpga: intel: afu add FPGA_GET_API_VERSION/CHECK_EXTENSION ioctls support Wu Hao
2017-03-30 12:08 ` [PATCH 15/16] fpga: intel: afu: add user afu sub feature support Wu Hao
2017-03-30 12:08 ` [PATCH 16/16] fpga: intel: afu: add FPGA_PORT_DMA_MAP/UNMAP ioctls support Wu Hao
2017-04-01  0:00   ` kbuild test robot
2017-04-01  1:33   ` kbuild test robot
2017-03-30 17:17 ` [PATCH 00/16] Intel FPGA Device Drivers Moritz Fischer
2017-04-06 20:27 ` Jerome Glisse
2017-04-11 19:38   ` Luebbers, Enno
2017-04-12 13:29     ` Jerome Glisse
2017-04-12 14:46       ` Moritz Fischer
2017-04-12 15:37         ` Jerome Glisse
2017-04-14 19:48           ` Luebbers, Enno [this message]
2017-04-14 20:49             ` Jerome Glisse
2017-04-17 15:35               ` Alan Tull
2017-04-17 15:57                 ` Jerome Glisse
2017-04-17 16:22                   ` Alan Tull
2017-04-17 17:15                     ` Jerome Glisse
2017-04-18 13:36                   ` Alan Cox
2017-04-18 14:59                     ` Jerome Glisse
2017-04-25 20:02                       ` One Thousand Gnomes
2017-05-01 16:41                         ` Jerome Glisse

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170414194817.GA27424@eluebber-mac02.jf.intel.com \
    --to=enno.luebbers@intel.com \
    --cc=atull@kernel.org \
    --cc=hao.wu@intel.com \
    --cc=jglisse@redhat.com \
    --cc=linux-fpga@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luwei.kang@intel.com \
    --cc=moritz.fischer@ettus.com \
    --cc=yi.z.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).