[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200728050140.996974-1-tientzu@chromium.org>
Date: Tue, 28 Jul 2020 13:01:35 +0800
From: Claire Chang <tientzu@...omium.org>
To: robh+dt@...nel.org, frowand.list@...il.com, hch@....de,
m.szyprowski@...sung.com, robin.murphy@....com
Cc: treding@...dia.com, gregkh@...uxfoundation.org,
saravanak@...gle.com, suzuki.poulose@....com,
dan.j.williams@...el.com, heikki.krogerus@...ux.intel.com,
bgolaszewski@...libre.com, devicetree@...r.kernel.org,
linux-kernel@...r.kernel.org, iommu@...ts.linux-foundation.org,
drinkcat@...omium.org, tfiga@...omium.org, tientzu@...omium.org
Subject: [RFC v2 0/5] Restricted DMA
This series implements mitigations for lack of DMA access control on
systems without an IOMMU, which could result in the DMA accessing the
system memory at unexpected times and/or unexpected addresses, possibly
leading to data leakage or corruption.
For example, we plan to use the PCI-e bus for Wi-Fi on one MTK platform and
that PCI-e bus is not behind an IOMMU. As PCI-e, by design, gives the
device full access to system memory, a vulnerability in the Wi-Fi firmware
could easily escalate to a full system exploit (remote wifi exploits: [1a],
[1b] that shows a full chain of exploits; [2], [3]).
To mitigate the security concerns, we introduce restricted DMA. The
restricted DMA is implemented by per-device swiotlb and coherent memory
pools. The feature on its own provides a basic level of protection against
the DMA overwriting buffer contents at unexpected times. However, to
protect against general data leakage and system memory corruption, the
system needs to provide a way to restrict the DMA to a predefined memory
region (this is usually done at firmware level, e.g. in ATF on some ARM
platforms).
[1a] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
[1b] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
[2] https://blade.tencent.com/en/advisories/qualpwn/
[3] https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-highly-popular-firmware-for-wifi-chips/
Claire Chang (5):
swiotlb: Add io_tlb_mem struct
swiotlb: Add device swiotlb pool
swiotlb: Use device swiotlb pool if available
dt-bindings: of: Add plumbing for restricted DMA pool
of: Add plumbing for restricted DMA pool
.../reserved-memory/reserved-memory.txt | 35 ++
drivers/iommu/intel/iommu.c | 8 +-
drivers/of/address.c | 39 ++
drivers/of/device.c | 3 +
drivers/of/of_private.h | 6 +
drivers/xen/swiotlb-xen.c | 4 +-
include/linux/device.h | 4 +
include/linux/dma-direct.h | 8 +-
include/linux/swiotlb.h | 49 +-
kernel/dma/direct.c | 8 +-
kernel/dma/swiotlb.c | 418 +++++++++++-------
11 files changed, 393 insertions(+), 189 deletions(-)
--
v1: https://lore.kernel.org/patchwork/cover/1271660/
Changes in v2:
- build on top of swiotlb
2.28.0.rc0.142.g3c755180ce-goog
Powered by blists - more mailing lists