The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
Posted Mar 12, 2019 11:02 UTC (Tue) by westeri (subscriber, #62678)In reply to: The Thunderclap vulnerabilities by rweikusat2
Parent article: The Thunderclap vulnerabilities
https://lore.kernel.org/lkml/20190312060005.12189-1-baolu...
Posted Mar 12, 2019 14:25 UTC (Tue)
by rweikusat2 (subscriber, #117920)
[Link] (7 responses)
Posted Mar 12, 2019 16:16 UTC (Tue)
by westeri (subscriber, #62678)
[Link] (6 responses)
Posted Mar 12, 2019 19:48 UTC (Tue)
by rweikusat2 (subscriber, #117920)
[Link] (4 responses)
Assuming that memory protection/ accesss control with page granularity is available, DMA buffers used by untrusted devices (and this should really be all kinds of devices) must not share memory pages with code whose information said untrusted devices are not supposed to access if the access control is supposed to be used effectively. This means *if* such a facility is to be used in a sensible way, DMA buffer allocation must be per-device and separate from all other allocations, including other DMA buffer allocation.
There are obviously tradeoffs here as most real-world devices won't be untrusted but singling out a certain kind of devices and adding an additional DMA buffer allocation system working on top of the existing DMA buffer allocation systems is a technically seriously unpleasant workaround for a highly unlikely fringe case.
Posted Mar 12, 2019 21:01 UTC (Tue)
by westeri (subscriber, #62678)
[Link] (3 responses)
Posted Mar 12, 2019 21:50 UTC (Tue)
by rweikusat2 (subscriber, #117920)
[Link] (2 responses)
Yes. I thought I already wrote this ("this should really be all kinds of devices"): If this issue is supposed to be mitigated by the IOMMU, any driver which supports DMA would need to use its own DMA buffer backing pages cache. There's no need for individual buffers to span a complete page (or some number of complete pages) provided management information used by a driver isn't kept in the unused parts of some page a part of which is currently used as DMA buffer, at least not in a way where corruption could go unnoticed. Malicious device snooping on itself sounds pretty harmless to me ;-).
Assuming that fixing this is considered desirable (the underlying issue has existed forever --- there's no reason why hardware designed by an unknown entity ought to be trustworthy, especially not if this 'hardware' is in itself complicated enough to contain a general purpose CPU running some decidedly non-trivial software), this cries out for some sort of infrastructure support for DMA buffer allocation drivers could easily make use of.
NB: I understand the benefits of the existing approach. But that's still just life-patching of a more fundamentally deficient (in this respect) memory management model.
Posted Mar 13, 2019 15:21 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link] (1 responses)
The page cache would need to be separate for each *device*, not each driver. A device snooping on itself may be harmless, but the same is not necessarily true for snooping on other devices managed by the same driver. Besides the fact that one driver might manage multiple brands and models of devices, some more trustworthy than others, one can also envision e.g. a system with two identical NICs surreptitiously snooping on each other and transmitting internal network data over the external network.
Posted Mar 13, 2019 19:17 UTC (Wed)
by rweikusat2 (subscriber, #117920)
[Link]
A driver capable of managing more than one device would obviously need one cache per currently managed device. Do you think somebody wouldn't immediately recognize this if such a driver was under discussion?
Posted Mar 19, 2019 13:31 UTC (Tue)
by nix (subscriber, #2304)
[Link]
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
The Thunderclap vulnerabilities
> The page cache would need to be separate for each *device*, not each driver.
The Thunderclap vulnerabilities