From: Jerome Glisse <jglisse@redhat.com>
To: David Laight <David.Laight@aculab.com>
Cc: Patrick Brunner <brunner@stettbacher.ch>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: IOMMU Page faults when running DMA transfers from PCIe device
Date: Thu, 18 Apr 2019 10:58:32 -0400 [thread overview]
Message-ID: <20190418145832.GC3288@redhat.com> (raw)
In-Reply-To: <7bcd438c9e85449e97554d5248d580ca@AcuMS.aculab.com>
On Thu, Apr 18, 2019 at 09:37:58AM +0000, David Laight wrote:
> From: Jerome Glisse
> > Sent: 16 April 2019 16:33
> ...
> > I am no expert but i am guessing your FPGA set the request field in the
> > PCIE TLP write packet to 00:00.0 and this might work when IOMMU is off but
> > might not work when IOMMU is on ie when IOMMU is on your device should set
> > the request field to the FPGA PCIE id so that the IOMMU knows for which
> > device the PCIE write or read packet is and thus against which IOMMU page
> > table.
>
> Interesting.
> Does that mean that a malicious PCIe device can send write TLP
> that contain the 'wrong' id (IIRC that is bus:dev:fn) and so
> write to areas that it shouldn't access?
Yes it does, they are bunch of paper on that look for IOMMU DMA
attack.
>
> For any degree of security the PCIe bridge nearest the target
> needs to verify the id as well.
> Actually all bridges need to verify the 'bus' part.
> Then boards with 'dodgy' bridges can only write to locations
> that other dev:fn on the same board can access.
Yes they should but it has a cost and AFAIK no bridges, not even
the root port, does that. PCIE bandwidth is big and it means a
lot of packets can go through a PCIE switch or PCIE bridge and
i believe that such PCIE packet inspection have been considered
too costly. Afterall if someone can plug a rogue device to your
computer (ignoring laptop) then he can do more harm with easier
method. FGPA accelerator as PCIE device, might open a door for
clever and _resourceful_ people to try to use them as a remote
vector attack.
Cheers,
Jérôme
prev parent reply other threads:[~2019-04-18 14:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 16:04 IOMMU Page faults when running DMA transfers from PCIe device Patrick Brunner
2019-04-16 15:33 ` Jerome Glisse
2019-04-17 14:17 ` Patrick Brunner
2019-04-17 14:37 ` Jerome Glisse
2019-04-18 9:37 ` David Laight
2019-04-18 14:58 ` Jerome Glisse [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190418145832.GC3288@redhat.com \
--to=jglisse@redhat.com \
--cc=David.Laight@aculab.com \
--cc=brunner@stettbacher.ch \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.