lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20111123201215.GL3344@sequoia.sous-sol.org>
Date:	Wed, 23 Nov 2011 12:12:15 -0800
From:	Chris Wright <chrisw@...s-sol.org>
To:	Joerg Roedel <joerg.roedel@....com>
Cc:	Chris Wright <chrisw@...s-sol.org>, linux-pci@...r.kernel.org,
	dwmw2@...radead.org, iommu@...ts.linux-foundation.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iommu: Include MSI susceptibility to DMA in creating
 iommu groups

* Joerg Roedel (joerg.roedel@....com) wrote:
> On Mon, Nov 21, 2011 at 03:35:05PM -0800, Chris Wright wrote:
> 
> > What is the value of a group w/out complete isolation?
> 
> There is still isolation for DMA. This may be sufficient for non-KVM
> use-cases like a device driver partially implemented in userspace. There
> is no no guest then that can attack the host with wrong interrupts.

There is a userspace process that could though.  I think I'm missing
the distinction.  In either case there is unprivileged code that could
program the hw to generate PCI write transactions that negatively effect
the system.

> > Is there a practical problem w/ conflating the subtleties above?
> 
> Same argument as above. It ties the the iommu_group interface to the KVM
> use case.

I don't agree that it's the KVM use case.  It's the unprivileged code
owning a device use case.  The promise of SR-IOV + IOMMU + PASID shows
hw is trying to go there.

> Another more pratical impact of this patch is that a reboot is
> required to re-enable iommu-groups. When the check happens in VFIO it is
> a simple module-reload.

I suppose, however iommu itself is managed via kernel cmdline and
reboot...

I guess we agree that we need to be able to give the user some way of
managing the risk they're willing to take, and just not on where the
flag should go?

thanks,
-chris
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ