lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 6 May 2015 10:46:01 +0200
From:	Benjamin Gaignard <benjamin.gaignard@...aro.org>
To:	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Cc:	"linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
	Hans Verkuil <hverkuil@...all.nl>,
	Laurent Pinchart <laurent.pinchart@...asonboard.com>,
	Daniel Vetter <daniel.vetter@...ll.ch>,
	Rob Clark <robdclark@...il.com>,
	Thierry Reding <treding@...dia.com>,
	Dave Airlie <airlied@...hat.com>,
	Sumit Semwal <sumit.semwal@...aro.org>,
	Tom Gall <tom.gall@...aro.org>
Subject: Re: [RFC] How implement Secure Data Path ?

2015-05-05 18:54 GMT+02:00 One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>:
>> First what is Secure Data Path ? SDP is a set of hardware features to garanty
>> that some memories regions could only be read and/or write by specific hardware
>> IPs. You can imagine it as a kind of memory firewall which grant/revoke
>> accesses to memory per devices. Firewall configuration must be done in a trusted
>> environment: for ARM architecture we plan to use OP-TEE + a trusted
>> application to do that.
>
> It's not just an ARM feature so any basis for this in the core code
> should be generic, whether its being enforced by ARM SDP, various Intel
> feature sets or even via a hypervisor.

I agree the core code should be generic, I was just mention OP-TEE to explain on
which context I'm working.

>
>> I have try 2 "hacky" approachs with dma_buf:
>> - add a secure field in dma_buf structure and configure firewall in
>>   dma_buf_{map/unmap}_attachment() functions.
>
> How is SDP not just another IOMMU. The only oddity here is that it
> happens to configure buffers the CPU can't touch and it has a control
> mechanism that is designed to cover big media corp type uses where the
> threat model is that the system owner is the enemy. Why does anything care
> about it being SDP, there are also generic cases this might be a useful
> optimisation (eg knowing the buffer isn't CPU touched so you can optimise
> cache flushing).
>

IOMMU interface doesn't offer API to manage buffer refcounting so you
will ignore
when you will have to stop protect the memory when using dma_buf you know
that the buffer is release when destroy function is called.
It is not only to not allow CPU to access to memory but also to
configure hardware
devices and firewall to be able to access to the memory.

> The control mechanism is a device/platform detail as with any IOMMU. It
> doesn't matter who configures it or how, providing it happens.
>
> We do presumably need some small core DMA changes - anyone trying to map
> such a buffer into CPU space needs to get a warning or error but what
> else ?
>
>> >From buffer allocation point of view I also facing a problem because when v4l2
>> or drm/kms are exporting buffers by using dma_buf they don't attaching
>> themself on it and never call dma_buf_{map/unmap}_attachment(). This is not
>> an issue in those framework while it is how dma_buf exporters are
>> supposed to work.
>
> Which could be addressed if need be.
>
> So if "SDP" is just another IOMMU feature, just as stuff like IMR is on
> some x86 devices, and hypervisor enforced protection is on assorted
> platforms why do we need a special way to do it ? Is there anything
> actually needed beyond being able to tell the existing DMA code that this
> buffer won't be CPU touched and wiring it into the DMA operations for the
> platform ?
>
> Alan



-- 
Benjamin Gaignard

Graphic Working Group

Linaro.org │ Open source software for ARM SoCs

Follow Linaro: Facebook | Twitter | Blog
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists