lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1378314286.13193.5.camel@x230>
Date:	Wed, 4 Sep 2013 17:04:46 +0000
From:	Matthew Garrett <matthew.garrett@...ula.com>
To:	David Woodhouse <dwmw2@...radead.org>
CC:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
	"keescook@...omium.org" <keescook@...omium.org>,
	"hpa@...or.com" <hpa@...or.com>
Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security
 is enabled

On Wed, 2013-09-04 at 17:57 +0100, David Woodhouse wrote:
> On Tue, 2013-09-03 at 19:50 -0400, Matthew Garrett wrote:
> > Any hardware that can potentially generate DMA has to be locked down from
> > userspace in order to avoid it being possible for an attacker to modify
> > kernel code, allowing them to circumvent disabled module loading or module
> > signing. Default to paranoid - in future we can potentially relax this for
> > sufficiently IOMMU-isolated devices.
> 
> Can you elaborate on what you mean by "sufficiently IOMMU-isolated", and
> what's missing before we can do that?

Do we have in-kernel API to guarantee that a given PCI device is
actively isolated by an IOMMU such that it can't modify any host kernel
pages that aren't explicitly intended to be writable by the device? That
seems to be the biggest constraint.

> If a given device is protected by an active IOMMU, and if there's no
> driver loaded and hence no active DMA mappings for the device in
> question, then we ought to be able to prod at it safely, right? It can't
> DMA anywhere anyway.

How does virt passthrough work in this case? The current situation
appears to be that qemu just passes the BARs through to the guest, and
it's the guest that sets things up. We'd need to be able to ensure that
there's no way the guest driver can cause DMA into the host kernel.

> And there are non-DMA considerations too, aren't there? What about just
> writing some fun stuff to a memory BAR and then writing to PCI config to
> map that BAR to an address that we can get executed by kernel code?

Yes, that's why config space is locked down for now.

-- 
Matthew Garrett <matthew.garrett@...ula.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ