lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Yw7iFQGpStC6YodP@gao-cwp>
Date:   Wed, 31 Aug 2022 12:22:45 +0800
From:   Chao Gao <chao.gao@...el.com>
To:     Robin Murphy <robin.murphy@....com>
CC:     <linux-kernel@...r.kernel.org>, <iommu@...ts.linux.dev>,
        <hch@...radead.org>, <m.szyprowski@...sung.com>
Subject: Re: [PATCH] swiotlb: fix a typo

On Tue, Aug 30, 2022 at 10:23:51AM +0100, Robin Murphy wrote:
>On 2022-08-26 10:50, Chao Gao wrote:
>> "overwirte" isn't a word. It should be "overwrite".
>> 
>> Signed-off-by: Chao Gao <chao.gao@...el.com>
>> ---
>> BTW, I am wondering if copying the original buffer to the tlb buffer
>> unconditionally will leak the original buffer to the VMM, especially
>> when VMM isn't trusted e.g., by confidential VMs. Would it be better
>> to zero the tlb buffer for dir == DMA_FROM_DEVICE?
>
>No, at the point of dma_map(), the buffer contents are owned by the caller,
>so if parts of that buffer are sensitive and shouldn't be exposed to DMA,
>then don't map the whole buffer for DMA. There are more DMA API
>implementations than SWIOTLB.
>

I am not sure if all existing drivers ensure that all buffers allocated
for DMA_FROM_DEVICE are zeroed/poisoned so that they don't have sensitive
data before dma_map(). If that isn't the case, bouncing the original contents
(left by the previous user of the buffer) effectively makes the contents
visible to host/VMM. I am afraid it may be a concern for confidential VMs.

>The whole point of bouncing the original contents here is that doing anything
>else effectively corrupts any part of the mapping that the device may end up
>*not* writing to - see the whole sordid original discussion (but don't be
>confused by the fact that the caller's original data happened to be zeros in
>that particular case).

Got it. Thanks for the explanation.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ