| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a89e8fcc-29f0-4a6a-85f8-ca8ca41c53ce@arm.com>
Date: Tue, 20 Jan 2026 17:11:27 +0000
From: Robin Murphy <robin.murphy@....com>
To: Jason Gunthorpe <jgg@...pe.ca>, Suzuki K Poulose <suzuki.poulose@....com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@...nel.org>,
linux-kernel@...r.kernel.org, iommu@...ts.linux.dev,
linux-coco@...ts.linux.dev, Catalin Marinas <catalin.marinas@....com>,
will@...nel.org, steven.price@....com,
Marek Szyprowski <m.szyprowski@...sung.com>
Subject: Re: [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA
addresses
On 2026-01-20 3:11 pm, Jason Gunthorpe wrote:
> On Tue, Jan 20, 2026 at 02:39:14PM +0000, Suzuki K Poulose wrote:
>>>>> diff --git a/kernel/dma/direct.c b/kernel/dma/direct.c
>>>>> index 8e04f72baaa3..a5639e9415f5 100644
>>>>> --- a/kernel/dma/direct.c
>>>>> +++ b/kernel/dma/direct.c
>>>>> @@ -580,12 +580,12 @@ int dma_direct_supported(struct device *dev, u64 mask)
>>>>> /*
>>>>> * This check needs to be against the actual bit mask value, so use
>>>>> - * phys_to_dma_unencrypted() here so that the SME encryption mask isn't
>>>>> + * __phys_to_dma() here so that the arch specific encryption mask isn't
>>>>> * part of the check.
>>>>> */
>>>>> if (IS_ENABLED(CONFIG_ZONE_DMA))
>>>>> min_mask = min_t(u64, min_mask, zone_dma_limit);
>>>>> - return mask >= phys_to_dma_unencrypted(dev, min_mask);
>>>>> + return mask >= __phys_to_dma(dev, min_mask);
>>>>
>>>> This is wrong, isn't it ? For e.g., for CCA, even though the "Flag" is
>>>> added to the PA, it is really part of the actual "PA" and thus must be
>>>> checked against the full PA ?
>>>>
>>>
>>> That is true only when the device is operating in untrusted mode?. For a
>>> trusted device that mask is valid mask right?
>>
>> Irrespective of the mode in which the device is operating, the DMA
>> address must include the fully qualified "{I}PA" address, right ?
>> i.e., "the Unencrypted" bit is only a software construct and the full
>> PA must be used, irrespective of the mode of the device.
>
> But you could make an argument that a trusted device won't DMA to
> shared memory, ie it would SWIOTLB to private memory if that is
> required.
I don't think we can assume that any arbitrary trusted device is *never*
going to want to access shared memory in the Realm IPA space, and while
it might technically be possible for a private SWIOTLB buffer to handle
that, we currently only have infrastructure that assumes the opposite
(i.e. that SWIOTLB buffers are shared for bouncing untrusted DMA to/from
private memory). Thus for now, saying we can only promise to support DMA
if the device can access the whole IPA space itself is accurate.
> Otherwise these two limitations will exclude huge numbers of real
> devices from working with ARM CCA at all.
Pretty sure the dependency on TDISP wins in that regard ;)
However, assuming that Realms and RMMs might eventually come up with
their own attestation mechanisms for on-chip non-PCIe devices (and such
devices continue to have crippled DMA capabilities) then the fact is
still that DA requires an SMMU for S2, so at worst there should always
be the possibility for an RMM to offer S1 SMMU support to the Realm,
we're just not there yet.
Thanks,
Robin.
Powered by blists - more mailing lists