lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1422283276-732-1-git-send-email-pure.logic@nexus-software.ie>
Date:	Mon, 26 Jan 2015 14:41:15 +0000
From:	Bryan O'Donoghue <pure.logic@...us-software.ie>
To:	tglx@...utronix.de, mingo@...hat.com, hpa@...or.com,
	x86@...nel.org, dvhart@...radead.org, andy.shevchenko@...il.com,
	boon.leong.ong@...el.com, linux-kernel@...r.kernel.org
Cc:	Bryan O'Donoghue <pure.logic@...us-software.ie>
Subject: [PATCH v4 0/1] x86: Add IMR support to Quark/Galileo

This patchset adds support for Isolated Memory Regions to the kernel.

Quark SoC X1000 contains a set of registers called Isolated Memory Regions.
IMRs provide fine grained memory access control to various system agents
within the SoC such as CPU SMM/non-SMM mode, PCIe virtual channels, CPU
snoop cycles, eSRAM flush cycles and the RMU. In simple terms, IMRs provide
a mechanism to protect memory regions from unwarranted access by system
agents that should not have access to that memory.

IMRs support a lock bit. Once a lock bit is set for an individual IMR it is
not possible to tear down that IMR without performing a cold boot of the
system. IMRs support reporting of violations. The SoC system can be
configured to reboot immediately when an IMR violation has taken place.
Immediate reboot of the system on IMR violation is recommended and is
currently how Quark BIOS configures the system.

An example of IMRs in use is given with Arduino compatiable Galileo boards
which ship with an IMR around the ACPI runtime services memory. If a DMA
read/write cycle were to occur to this region of memory this would trigger
the IMR violation mechansim.

As part of the IMR init code all unlocked IMRs are removed to ensure the
EFI memory map and IMR memory map are consistent. This is necessary since at
various stages during the boot of Quark systems firmware and second stage
bootloader will place unlocked IMRs around various assets in memory, with
the expectation that subsequent phases of boot will tear-down unlocked/stale
IMRs before proceeding. The kernel needs to tear-down unlocked IMRs placed
around the boot params structure and compressed kernel in memory. Without
doing so DMA addresses given out by the kernel to DMA capable hardware runs
the risk of triggering an IMR fault when DMA happens to those addresses.
As a result any unlocked IMR must be torn down by the kernel early in the
boot process to sanitize the memory map. 

As an additional protection to the run-time kernel from unwarranted memory
transactions an IMR is placed around the kernel's .text and .rodata
sections. 

Changes since v3:
 - Remove reference to imr.o in arch/x86/kernel/Makefile
   Bryan O'Donoghue

Changes since v2:
 - Move IMR code to arch/x86/platform/intel-quark/imr.c
   Thomas Gleixner/Darren Hart
 - #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
    Andy Shevchenko
 - ret = iosf_mbi_read()
    Style made consistent in imr_write
    Andy Shevchenko
 - reg++/IMR_NUM_REGS
    Offset used for lock bit in imr_write
    Andy Shevchenko
 - debugfs s->private pointer used
    Andy Shevchenko
 - debugfs
    Conditional compilation defines removed
    Andy Shevchenko
 - debugfs
    Failure to hook debugfs treated as non-fatal
    Andy Shevchenko
 - phys_addr_t
    Updated API to use phys_addr_t in place of unsigned long for base param
    Andy Shevchenko
 - printk
    "KiB" instead of "k"
    Andy Shevchenko
 - imr_enabled
    -> static inline imr_is_enabled
    Ong, Boon Leong/Andy Shevchenko
 - imr_write
    trap final ret from iosf_mbi_write for lock bit in imr_write - bugfix
    Ong, Boon Leong
 - imr_fixup_size
    -> static inline imr_fixup_size
    Ong, Boon Leong
 - imr_address_overlap
    -> imr_address_overlap
    Ong, Boon Leong
 - imr_add_range
    End address in imr_add_range calculated after imr_fixup_size()
    Ong, Boon Leong
 - imr_del_range
    Pass i in place of reg in imr_del_range() - bugfix
    Ong, Boon Leong
 - Add test case
    imr_del_range(-1, addr, size)
    Ong, Boon Leong/Andy Shevchenko
 - Added text "aligned to 1 KiB" removed reference to "4 k"
    Ong, Boon Leong
 - imr_is_enabled
    Definition of enabled updated to be negation of disabled
    Bryan O'Donoghue
 - imr_add_range
    Add check for adding an IMR in the disabled state
    Bryan O'Donoghue
 - Add test case IMR @ invalid address, @0 with rmask/wmask=CPU, @ 0 size 0x800
    Bryan O'Donoghue
 - Add WARN() to failed IMR test in print routine
    Bryan O'Donoghue
 - Update license to Dual BSD/GPL
    Reflect licensing in Intel reference code
    Bryan O'Donoghue

Changes since v1:
 - Galileo platform code
    Removed completely. Policy to tear-down unlocked IMRs and setup IMR
    around kernel .text and .rodata as part of IMR init code.
    Darren Hart/Ong, Boon Leong
 - imr_add/imr_del
    Renamed to imr_add_range and imr_del_range respectively.
    Andy Shevchenko
 - x86_match_cpu
    Used in place of DMI strings specific to Galileo.
    Andy Shevchenko/Ong, Boon Leong
 - Expanded git log definitions of IMRs
    Addition of more descriptive text to deliniate between different IMR
    types.
    Ong, Boon Leong
 - struct imr
    Renamed to struct imr_regs
    Andy Shevchenko/Darren Hart
 - imr_read/imr_write
    Flow reworked flow of register indexing
    Andy Shevchenko
 - debugfs hooks changed
    Andy Shevchenko
 - imr_enabled
    Definition of an enabled IMR updated to include read/write mask values
    present in IMR. Address @ zero and read/write mask in conjunction will
    be the definition of a disabled IMR on X1000 to be consistent with
    firmware both old and current which also defines a disabled IMR this
    way.
    Darren Hart/Ong, Boon Leong
 - Overlapping
    Comment added to code to explain the design decision not to allow IMR
    overlaps.
    Darren Hart/Ong, Boon Leong
 - CONFIG_DEBUG_IMR_SELFTEST
    Automated IMR self test moved from removed Galileo platform code and
    added to IMR init code. Option exists in the kernel hacking section.
    Darren Hart
 - IMR self test
    Expanded to over more scenarios
    Bryan O'Donoghue
 - Remove reference to IMR_ENABLE bit
    Undocumented bit with respect to Quark X1000
    Ong, Boon Leong
 - Expanded kernel IMR to encompass .text and .rodata
    IMR protecting both .text and .rodata as in the same way as .text and
    .rodata are marked read-only in the relevant page-table entries.
    Bryan O'Donoghue
 - Overlap bounds checking
    Moved range checking of overlap into a function
    Andy Shevchenko
 
Bryan O'Donoghue (1):
  x86: Add Isolated Memory Regions for Quark X1000
 
 arch/x86/Kconfig                       |  15 +
 arch/x86/Kconfig.debug                 |  12 +
 arch/x86/include/asm/imr.h             |  60 +++
 arch/x86/platform/Makefile             |   1 +
 arch/x86/platform/intel-quark/Makefile |   1 +
 arch/x86/platform/intel-quark/imr.c    | 713 +++++++++++++++++++++++++++++++++
 drivers/platform/x86/Kconfig           |  25 ++
 7 files changed, 827 insertions(+)
 create mode 100644 arch/x86/include/asm/imr.h
 create mode 100644 arch/x86/platform/intel-quark/Makefile
 create mode 100644 arch/x86/platform/intel-quark/imr.c

-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ