| From: |
| Claire Chang <tientzu-AT-chromium.org> |
| To: |
| robh+dt-AT-kernel.org, mpe-AT-ellerman.id.au, benh-AT-kernel.crashing.org, paulus-AT-samba.org, joro-AT-8bytes.org, will-AT-kernel.org, frowand.list-AT-gmail.com, konrad.wilk-AT-oracle.com, boris.ostrovsky-AT-oracle.com, jgross-AT-suse.com, sstabellini-AT-kernel.org, hch-AT-lst.de, m.szyprowski-AT-samsung.com, robin.murphy-AT-arm.com |
| Subject: |
| [RFC PATCH v3 0/6] Restricted DMA |
| Date: |
| Wed, 06 Jan 2021 11:41:18 +0800 |
| Message-ID: |
| <20210106034124.30560-1-tientzu@chromium.org> |
| Cc: |
| grant.likely-AT-arm.com, xypron.glpk-AT-gmx.de, treding-AT-nvidia.com, mingo-AT-kernel.org, bauerman-AT-linux.ibm.com, peterz-AT-infradead.org, gregkh-AT-linuxfoundation.org, saravanak-AT-google.com, rafael.j.wysocki-AT-intel.com, heikki.krogerus-AT-linux.intel.com, andriy.shevchenko-AT-linux.intel.com, rdunlap-AT-infradead.org, dan.j.williams-AT-intel.com, bgolaszewski-AT-baylibre.com, devicetree-AT-vger.kernel.org, linux-kernel-AT-vger.kernel.org, linuxppc-dev-AT-lists.ozlabs.org, iommu-AT-lists.linux-foundation.org, xen-devel-AT-lists.xenproject.org, tfiga-AT-chromium.org, drinkcat-AT-chromium.org, Claire Chang <tientzu-AT-chromium.org> |
| Archive-link: |
| Article |
This series implements mitigations for lack of DMA access control on
systems without an IOMMU, which could result in the DMA accessing the
system memory at unexpected times and/or unexpected addresses, possibly
leading to data leakage or corruption.
For example, we plan to use the PCI-e bus for Wi-Fi and that PCI-e bus is
not behind an IOMMU. As PCI-e, by design, gives the device full access to
system memory, a vulnerability in the Wi-Fi firmware could easily escalate
to a full system exploit (remote wifi exploits: [1a], [1b] that shows a
full chain of exploits; [2], [3]).
To mitigate the security concerns, we introduce restricted DMA. Restricted
DMA utilizes the existing swiotlb to bounce streaming DMA in and out of a
specially allocated region and does memory allocation from the same region.
The feature on its own provides a basic level of protection against the DMA
overwriting buffer contents at unexpected times. However, to protect
against general data leakage and system memory corruption, the system needs
to provide a way to restrict the DMA to a predefined memory region (this is
usually done at firmware level, e.g. in ATF on some ARM platforms).
[1a] https://googleprojectzero.blogspot.com/2017/04/over-air-e...
[1b] https://googleprojectzero.blogspot.com/2017/04/over-air-e...
[2] https://blade.tencent.com/en/advisories/qualpwn/
[3] https://www.bleepingcomputer.com/news/security/vulnerabil...
Claire Chang (6):
swiotlb: Add io_tlb_mem struct
swiotlb: Add restricted DMA pool
swiotlb: Use restricted DMA pool if available
swiotlb: Add restricted DMA alloc/free support.
dt-bindings: of: Add restricted DMA pool
of: Add plumbing for restricted DMA pool
.../reserved-memory/reserved-memory.txt | 24 +
arch/powerpc/platforms/pseries/svm.c | 4 +-
drivers/iommu/dma-iommu.c | 12 +-
drivers/of/address.c | 21 +
drivers/of/device.c | 4 +
drivers/of/of_private.h | 5 +
drivers/xen/swiotlb-xen.c | 4 +-
include/linux/device.h | 4 +
include/linux/swiotlb.h | 61 +-
kernel/dma/Kconfig | 1 +
kernel/dma/direct.c | 20 +-
kernel/dma/direct.h | 10 +-
kernel/dma/swiotlb.c | 576 +++++++++++-------
13 files changed, 514 insertions(+), 232 deletions(-)
--
2.29.2.729.g45daf8777d-goog
v3:
Using only one reserved memory region for both streaming DMA and memory
allocation.
v2:
Building on top of swiotlb.
https://lore.kernel.org/patchwork/cover/1280705/
v1:
Using dma_map_ops.
https://lore.kernel.org/patchwork/cover/1271660/
