lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20181113161258.GE2500@lahna.fi.intel.com>
Date:   Tue, 13 Nov 2018 18:12:58 +0200
From:   Mika Westerberg <mika.westerberg@...ux.intel.com>
To:     Yehezkel Bernat <yehezkelshb@...il.com>
Cc:     iommu@...ts.linux-foundation.org, joro@...tes.org,
        David Woodhouse <dwmw2@...radead.org>,
        baolu.lu@...ux.intel.com, ashok.raj@...el.com,
        Bjorn Helgaas <bhelgaas@...gle.com>, rjw@...ysocki.net,
        jacob.jun.pan@...el.com, Andreas Noever <andreas.noever@...il.com>,
        michael.jamet@...el.com, lukas@...ner.de,
        Christian Kellner <ckellner@...hat.com>,
        Mario Limonciello <Mario.Limonciello@...l.com>,
        Anthony Wong <anthony.wong@...onical.com>,
        linux-acpi@...r.kernel.org, linux-pci@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 4/4] thunderbolt: Export IOMMU based DMA protection
 support to userspace

On Tue, Nov 13, 2018 at 05:38:53PM +0200, Yehezkel Bernat wrote:
> Good point. But I thought about per-TBT-device decision. If the platform is
> configured for IOMMU+"user" security level, while approving the device the user
> may want to set also in which IOMMU group to put all the PCIe devices connected
> to it. The same goes if kernel is supposed to auto-approve such devices based on
> an internal table. The point is that we can think on a configuration where the
> devices aren't tunneled yet and the decision about IOMMU can still be changed.

Right, some of these systems have security level set to "user" so there
we could have a way to put the device into passthrough mode before it
appears on the PCIe bus. That would require some sort of API on the
IOMMU side, though.

> As you mentioned this isn't the common configuration anyway, so it probably
> doesn't worth all this hassle.

AFAIK mixing the two is not something they are going to be supporting in
Windows so I would not expect it to be common. I think the ultimate goal
is to move away from security levels towards IOMMU DMA protection so in
future I would expect more and more systems with IOMMU enabled +
security level set to "none".

So I agree with you that it probably is not worth doing at least without
having more data about real performance issues around this. ;-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ