| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260120175454.GA1325733@ziepe.ca> Date: Tue, 20 Jan 2026 13:54:54 -0400 From: Jason Gunthorpe <jgg@...pe.ca> To: Robin Murphy <robin.murphy@....com> Cc: Suzuki K Poulose <suzuki.poulose@....com>, "Aneesh Kumar K.V" <aneesh.kumar@...nel.org>, linux-kernel@...r.kernel.org, iommu@...ts.linux.dev, linux-coco@...ts.linux.dev, Catalin Marinas <catalin.marinas@....com>, will@...nel.org, steven.price@....com, Marek Szyprowski <m.szyprowski@...sung.com> Subject: Re: [PATCH 1/2] dma-direct: Validate DMA mask against canonical DMA addresses On Tue, Jan 20, 2026 at 05:11:27PM +0000, Robin Murphy wrote: > > But you could make an argument that a trusted device won't DMA to > > shared memory, ie it would SWIOTLB to private memory if that is > > required. > > I don't think we can assume that any arbitrary trusted device is *never* > going to want to access shared memory in the Realm IPA space, Well, I can say it isn't supported with the DMA API we have today, so that's not *never* but at least for the present moment assuming that only private addresses are used with DMA would be consistent with the overall kernel capability. Certainly I think we have use cases for mixing traffic, and someone here is looking at what it would take to extend things to actually make it possible to reach into arbitrary shared memory with the DMA API.. > and while it might technically be possible for a private SWIOTLB > buffer to handle that, we currently only have infrastructure that > assumes the opposite (i.e. that SWIOTLB buffers are shared for > bouncing untrusted DMA to/from private memory). We also don't support T=1 devices with the current kernel either, and the required behavior is exactly what a normal non-CC kernel does today. Basically, SWIOTLB should not be allocating or using shared memory with a T=1 device at all, and I think that is a important thing to have in the code for security. Anyhow, I'm just saying either you keep the limit as we have now or if the limit is relaxed for T=1 then it would make sense to fixup SWIOTLB to do traditional bouncing to avoid high (shared) addresses. > Thus for now, saying we can only promise to support DMA if the > device can access the whole IPA space itself is accurate. Right, that is where things are right now, and I don't think we should move away from those code limitations unless there are mitigations like bouncing.. > > Otherwise these two limitations will exclude huge numbers of real > > devices from working with ARM CCA at all. > > Pretty sure the dependency on TDISP wins in that regard ;) You can use existing T=0 devices without TDISP And bolting a TDISP capable PCI IP onto a device with an addressing limit probably isn't going to fix the addressing limit. :( > However, assuming that Realms and RMMs might eventually come up with their > own attestation mechanisms for on-chip non-PCIe devices (and such devices > continue to have crippled DMA capabilities) The fabric isn't the only issue here, and even "PCIe" appearing devices don't necessarily run over real-PCIe and may have limited fabrics. There are enough important devices out there that have internal limitations, like registers and data structures that just cannot store the full 64 bit address space. HW folks have a big $$ incentive to take shortcuts like this.. > then the fact is still that DA requires an SMMU for S2, so at worst > there should always be the possibility for an RMM to offer S1 SMMU > support to the Realm, we're just not there yet. Having a S1 would help a T=1 device, but it doesn't do anything for the T=0 devices. The other answer is to expect the VMM to limit the IPA size so that the IO devices can reach the full address space. Jason
Powered by blists - more mailing lists