lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 May 2017 08:59:20 +0200
From:   Ingo Molnar <mingo@...nel.org>
To:     Joerg Roedel <jroedel@...e.de>
Cc:     Shaohua Li <shli@...com>, linux-kernel@...r.kernel.org,
        gang.wei@...el.com, hpa@...ux.intel.com, kernel-team@...com,
        ning.sun@...el.com, srihan@...com, alex.eydelberg@...el.com
Subject: Re: [PATCH V2] x86/tboot: add an option to disable iommu force on


* Joerg Roedel <jroedel@...e.de> wrote:

> On Thu, Apr 27, 2017 at 08:51:42AM +0200, Ingo Molnar wrote:
> > > +		tboot_noforce [Default Off]
> > > +			Do not force the Intel IOMMU enabled under tboot.
> > > +			By default, tboot will force Intel IOMMU on, which
> > > +			could harm performance of some high-throughput
> > > +			devices like 40GBit network cards, even if identity
> > > +			mapping is enabled.
> > > +			Note that using this option lowers the security
> > > +			provided by tboot because it makes the system
> > > +			vulnerable to DMA attacks.
> > 
> > So what's the purpose of this kernel option?
> > 
> > It sure isn't the proper solution for correctly architectured hardware/firmware 
> > (which can just choose not to expose the IOMMU!), and for one-time hacks for 
> > special embedded systems or for debugging why not just add an iommu=off option to 
> > force it off?
> 
> I guess that tboot requires an IOMMU to be present in order to work. It
> will do initial IOMMU setup and hands the hardware over to Linux later
> on.
> 
> The problem solved here is that someone wants tboot for security
> reasons, but doesn't want the performance penalty of having the IOMMU
> enabled and can live with the risk of an DMA attack.

Yes, that makes sense - but in this case it would be far more user friendly to 
make it a sysctl, not a boot option. This is also much more manageable for 
distributions and also allows it to be more easily turned into a security policy 
feature.

New boot options should be for debugging hacks in essence - any serious hardware 
configuration should be done via more user-friendly methods.

Thanks,

	Ingo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ