lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d4d2488e85174cff9ab8c641336d5919@ausx13mpc120.AMER.DELL.COM>
Date:   Mon, 12 Nov 2018 16:22:25 +0000
From:   <Mario.Limonciello@...l.com>
To:     <mika.westerberg@...ux.intel.com>,
        <iommu@...ts.linux-foundation.org>
CC:     <joro@...tes.org>, <dwmw2@...radead.org>,
        <baolu.lu@...ux.intel.com>, <ashok.raj@...el.com>,
        <bhelgaas@...gle.com>, <rjw@...ysocki.net>,
        <jacob.jun.pan@...el.com>, <andreas.noever@...il.com>,
        <michael.jamet@...el.com>, <YehezkelShB@...il.com>,
        <lukas@...ner.de>, <ckellner@...hat.com>,
        <anthony.wong@...onical.com>, <linux-acpi@...r.kernel.org>,
        <linux-pci@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection
 support to userspace

> -----Original Message-----
> From: Mika Westerberg <mika.westerberg@...ux.intel.com>
> Sent: Monday, November 12, 2018 10:06 AM
> To: iommu@...ts.linux-foundation.org
> Cc: Joerg Roedel; David Woodhouse; Lu Baolu; Ashok Raj; Bjorn Helgaas; Rafael J.
> Wysocki; Jacob jun Pan; Andreas Noever; Michael Jamet; Yehezkel Bernat; Lukas
> Wunner; Christian Kellner; Limonciello, Mario; Anthony Wong; Mika Westerberg;
> linux-acpi@...r.kernel.org; linux-pci@...r.kernel.org; linux-
> kernel@...r.kernel.org
> Subject: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection support
> to userspace
> 
> 
> 
> 
> Recent systems shipping with Windows 10 version 1803 or later may
> support a feature called Kernel DMA protection [1]. In practice this
> means that Thunderbolt connected devices are placed behind an IOMMU
> during the whole time it is connected (including during boot) making
> Thunderbolt security levels redundant. Some of these systems still have
> Thunderbolt security level set to "user" in order to support OS
> downgrade (the older version of the OS might not support IOMMU based DMA
> protection so connecting a device still relies on user approval then).
> 
> Export this information to userspace by introducing a new sysfs
> attribute (iommu_dma_protection). Based on it userspace tools can make
> more accurate decision whether or not authorize the connected device.
> 
> In addition update Thunderbolt documentation regarding IOMMU based DMA
> protection.
> 
> [1] https://docs.microsoft.com/en-us/windows/security/information-
> protection/kernel-dma-protection-for-thunderbolt
> 
> Signed-off-by: Mika Westerberg <mika.westerberg@...ux.intel.com>
> ---
>  .../ABI/testing/sysfs-bus-thunderbolt         |  9 ++++++++
>  Documentation/admin-guide/thunderbolt.rst     | 23 +++++++++++++++++++
>  drivers/thunderbolt/domain.c                  | 17 ++++++++++++++
>  3 files changed, 49 insertions(+)
> 
> diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt
> b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> index 151584a1f950..b21fba14689b 100644
> --- a/Documentation/ABI/testing/sysfs-bus-thunderbolt
> +++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt
> @@ -21,6 +21,15 @@ Description:	Holds a comma separated list of device
> unique_ids that
>  		If a device is authorized automatically during boot its
>  		boot attribute is set to 1.
> 
> +What: /sys/bus/thunderbolt/devices/.../domainX/iommu_dma_protection
> +Date:		Mar 2019
> +KernelVersion:	4.21
> +Contact:	thunderbolt-software@...ts.01.org
> +Description:	This attribute tells whether the system uses IOMMU
> +		for DMA protection. Value of 1 means IOMMU is used 0 means
> +		it is not (DMA protection is solely based on Thunderbolt
> +		security levels).
> +
>  What: /sys/bus/thunderbolt/devices/.../domainX/security
>  Date:		Sep 2017
>  KernelVersion:	4.13
> diff --git a/Documentation/admin-guide/thunderbolt.rst b/Documentation/admin-
> guide/thunderbolt.rst
> index 35fccba6a9a6..ccac2596a49f 100644
> --- a/Documentation/admin-guide/thunderbolt.rst
> +++ b/Documentation/admin-guide/thunderbolt.rst
> @@ -133,6 +133,29 @@ If the user still wants to connect the device they can
> either approve
>  the device without a key or write a new key and write 1 to the
>  ``authorized`` file to get the new key stored on the device NVM.
> 
> +DMA protection utilizing IOMMU
> +------------------------------
> +Recent systems shipping with Windows 10 version 1803 or later may support a
> +feature called `Kernel DMA Protection for Thunderbolt 3`_.  This means that

Keep in mind there will be systems that ship with Linux that enable this feature too ;)

It might be better to make it time frame and platform  firmware oriented as it's
entirely possible for an OEM to have a field firmware upgrade that may enable this
functionality from the platform and allow an end user to upgrade to a sufficiently
protected kernel or Windows OS to take advantage of it.

> +Thunderbolt security is handled by an IOMMU so connected devices cannot
> +access memory regions outside of what is allocated for them by drivers.
> +When Linux is running on such system it automatically enables IOMMU if not
> +enabled by the user already. These systems can be identified by reading
> +``1`` from ``/sys/bus/thunderbolt/devices/domainX/iommu_dma_protection``
> +attribute.
> +
> +The driver does not do anything special in this case but because DMA
> +protection is handled by the IOMMU, security levels (if set) are
> +redundant. For this reason some systems ship with security level set to
> +``none``. Other systems have security level set to ``user`` in order to
> +support downgrade to older Windows, so users who want to automatically
> +authorize devices when IOMMU DMA protection is enabled can use the
> +following ``udev`` rule::
> +
> +  ACTION=="add", SUBSYSTEM=="thunderbolt",
> ATTRS{iommu_dma_protection}=="1", ATTR{authorized}=="0",
> ATTR{authorized}="1"
> +
> +.. _Kernel DMA Protection for Thunderbolt 3: https://docs.microsoft.com/en-
> us/windows/security/information-protection/kernel-dma-protection-for-
> thunderbolt
> +
>  Upgrading NVM on Thunderbolt device or host
>  -------------------------------------------
>  Since most of the functionality is handled in firmware running on a
> diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
> index 93e562f18d40..7416bdbd8576 100644
> --- a/drivers/thunderbolt/domain.c
> +++ b/drivers/thunderbolt/domain.c
> @@ -7,7 +7,9 @@
>   */
> 
>  #include <linux/device.h>
> +#include <linux/dmar.h>
>  #include <linux/idr.h>
> +#include <linux/iommu.h>
>  #include <linux/module.h>
>  #include <linux/pm_runtime.h>
>  #include <linux/slab.h>
> @@ -236,6 +238,20 @@ static ssize_t boot_acl_store(struct device *dev, struct
> device_attribute *attr,
>  }
>  static DEVICE_ATTR_RW(boot_acl);
> 
> +static ssize_t iommu_dma_protection_show(struct device *dev,
> +					 struct device_attribute *attr,
> +					 char *buf)
> +{
> +	/*
> +	 * Kernel DMA protection is a feature where Thunderbolt security is
> +	 * handled natively using IOMMU. It is enabled when IOMMU is
> +	 * enabled and ACPI DMAR table has DMAR_PLATFORM_OPT_IN set.
> +	 */
> +	return sprintf(buf, "%d\n",
> +		       iommu_present(&pci_bus_type) && dmar_platform_optin());
> +}
> +static DEVICE_ATTR_RO(iommu_dma_protection);
> +
>  static ssize_t security_show(struct device *dev, struct device_attribute *attr,
>  			     char *buf)
>  {
> @@ -251,6 +267,7 @@ static DEVICE_ATTR_RO(security);
> 
>  static struct attribute *domain_attrs[] = {
>  	&dev_attr_boot_acl.attr,
> +	&dev_attr_iommu_dma_protection.attr,
>  	&dev_attr_security.attr,
>  	NULL,
>  };
> --
> 2.19.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ