lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z_N_DNXq9VbPvTfA@infradead.org>
Date: Mon, 7 Apr 2025 00:30:20 -0700
From: Christoph Hellwig <hch@...radead.org>
To: David Woodhouse <dwmw2@...radead.org>
Cc: "Michael S. Tsirkin" <mst@...hat.com>,
	Christoph Hellwig <hch@...radead.org>,
	virtio-comment@...ts.linux.dev, Claire Chang <tientzu@...omium.org>,
	linux-devicetree <devicetree@...r.kernel.org>,
	Rob Herring <robh+dt@...nel.org>,
	Jörg Roedel <joro@...tes.org>,
	iommu@...ts.linux-foundation.org, linux-kernel@...r.kernel.org,
	graf@...zon.de
Subject: Re: [RFC PATCH 1/3] content: Add VIRTIO_F_SWIOTLB to negotiate use
 of SWIOTLB bounce buffers

On Fri, Apr 04, 2025 at 12:15:52PM +0100, David Woodhouse wrote:
> We could achieve that by presenting the device with a completely new
> PCI device/vendor ID so that old drivers don't match, or in the DT
> model you could make a new "compatible" string for it. I chose to use a
> VIRTIO_F_ bit for it instead, which seemed natural and allows the
> device model (under the influence of the system integrator) to *choose*
> whether a failure to negotiate such bit is fatal or not.

Stop thinking about devices.  Your CoCo VM will have that exact same
limitation for all devices, because none of them can DMA into random
memory.  The solution to the compatibility problem is to just not boot
an OS aware of the exact CoCo scheme into a CoCo VM.  Bonus points
for figuring out something clever at the system level that let's the
boot fail gracefully early on for that case.

> The main thing in the CoCo case is that the range in question must not
> contain any memory which an unenlightened guest might treat as normal
> system RAM (because it has to be accessible by the VMM, and that would
> make it insecure if it's being used a general-purpose RAM).

Yes.

> So on x86 it might be an e820-reserved region for example.

Hasn't e820 replaced with something more "elaborate" for UEFI systems
anyway?

> I don't think we want the guest OS just *assuming* that there's usable
> memory in that e820-reserved region, just because some device says that
> it's actually capable of DMA to those addresses.
> 
> So it would probably want a separate object, like the separate
> `restricted-dma-pool` in DT, which explicitly identifies that range as
> a DMA bounce-buffer pool. We probably *can* do that even in ACPI with a
> PRP0001 device today, using a `restricted-dma-pool` compatible
> property.
> 
> Then the OS would need to spot this range in the config space, and say
> "oh, I *do* have a swiotlb pool this device can reach", and use that.

Yes, that's largely how it should work.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ