lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240521163400.GK20229@nvidia.com>
Date: Tue, 21 May 2024 13:34:00 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Alex Williamson <alex.williamson@...hat.com>
Cc: "Tian, Kevin" <kevin.tian@...el.com>,
	"Vetter, Daniel" <daniel.vetter@...el.com>,
	"Zhao, Yan Y" <yan.y.zhao@...el.com>,
	"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"x86@...nel.org" <x86@...nel.org>,
	"iommu@...ts.linux.dev" <iommu@...ts.linux.dev>,
	"pbonzini@...hat.com" <pbonzini@...hat.com>,
	"seanjc@...gle.com" <seanjc@...gle.com>,
	"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
	"luto@...nel.org" <luto@...nel.org>,
	"peterz@...radead.org" <peterz@...radead.org>,
	"tglx@...utronix.de" <tglx@...utronix.de>,
	"mingo@...hat.com" <mingo@...hat.com>,
	"bp@...en8.de" <bp@...en8.de>, "hpa@...or.com" <hpa@...or.com>,
	"corbet@....net" <corbet@....net>,
	"joro@...tes.org" <joro@...tes.org>,
	"will@...nel.org" <will@...nel.org>,
	"robin.murphy@....com" <robin.murphy@....com>,
	"baolu.lu@...ux.intel.com" <baolu.lu@...ux.intel.com>,
	"Liu, Yi L" <yi.l.liu@...el.com>
Subject: Re: [PATCH 4/5] vfio/type1: Flush CPU caches on DMA pages in
 non-coherent domains

On Tue, May 21, 2024 at 10:21:23AM -0600, Alex Williamson wrote:

> > Intel GPU weirdness should not leak into making other devices
> > insecure/slow. If necessary Intel GPU only should get some variant
> > override to keep no snoop working.
> > 
> > It would make alot of good sense if VFIO made the default to disable
> > no-snoop via the config space.
> 
> We can certainly virtualize the config space no-snoop enable bit, but
> I'm not sure what it actually accomplishes.  We'd then be relying on
> the device to honor the bit and not have any backdoors to twiddle the
> bit otherwise (where we know that GPUs often have multiple paths to get
> to config space).

I'm OK with this. If devices are insecure then they need quirks in
vfio to disclose their problems, we shouldn't punish everyone who
followed the spec because of some bad actors.

But more broadly in a security engineered environment we can trust the
no-snoop bit to work properly.

> We also then have the question of does the device function
> correctly if we disable no-snoop.

Other than the GPU BW issue the no-snoop is not a functional behavior.

> The more secure approach might be that we need to do these cache
> flushes for any IOMMU that doesn't maintain coherency, even for
> no-snoop transactions.  Thanks,

Did you mean 'even for snoop transactions'?

That is where this series is, it assumes a no-snoop transaction took
place even if that is impossible, because of config space, and then
does pessimistic flushes.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ