From: Robin Murphy <robin.murphy-5wv7dgnIgG8@public.gmane.org>
To: Mitchel Humpherys
<mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Will Deacon <will.deacon-5wv7dgnIgG8@public.gmane.org>,
Marek Szyprowski
<m.szyprowski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
Cc: Pratik Patel <pratikp-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
Jordan Crouse <jcrouse-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
Jeremy Gebben <jgebben-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>,
Patrick Daly <pdaly-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
Subject: Re: [PATCH v2 0/6] Add support for privileged mappings
Date: Mon, 11 Jul 2016 15:02:24 +0100 [thread overview]
Message-ID: <5783A6F0.7040903@arm.com> (raw)
In-Reply-To: <20160709020919.6760-1-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
Hey Mitch,
Thanks for having the necessary go at the DMA API - I think the series
looks broadly workable now.
On 09/07/16 03:09, Mitchel Humpherys wrote:
> The following patch to the ARM SMMU driver:
>
> commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
> Author: Robin Murphy <robin.murphy-5wv7dgnIgG8@public.gmane.org>
> Date: Tue Jan 26 18:06:34 2016 +0000
>
> iommu/arm-smmu: Treat all device transactions as unprivileged
>
> started forcing all SMMU transactions to come through as "unprivileged".
> The rationale given was that:
>
> (1) There is no way in the IOMMU API to even request privileged mappings.
>
> (2) It's difficult to implement a DMA mapper that correctly models the
> ARM VMSAv8 behavior of unprivileged-writeable =>
> privileged-execute-never.
>
> This series rectifies (1) by introducing an IOMMU API for privileged
> mappings and implements it in io-pgtable-arm.
>
> This series rectifies (2) by introducing a new dma attribute
> (DMA_ATTR_PRIVILEGED_EXECUTABLE) for users of the DMA API that need
> privileged, executable mappings, and implements it in the arm64 IOMMU DMA
> mapper. The one known user (pl330.c) is converted over to the new
> attribute.
>
> Jordan and Jeremy can provide more info on the use case if needed, but the
> high level is that it's a security feature to prevent attacks such as [1].
My understanding of that hack is that it involves switching the GPU into
privileged mode to get at the mapping of the IOMMU registers in the
first place, so I don't see at a glance how having privileged mappings
defends against that. What it clearly does do, however, is get us _to_
the point where it's necessary to do such a privilege switch in the
first place, as opposed to everything being trivially wide-open, which
is no bad thing.
Robin.
>
> [1] https://github.com/robclark/kilroy
>
> Changelog:
>
> v1..v2
>
> - Added a new DMA attribute to make executable privileged mappings
> work, and use that in the pl330 driver (suggested by Will).
>
>
> Jeremy Gebben (1):
> iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag
>
> Mitchel Humpherys (5):
> iommu: add IOMMU_PRIV attribute
> Revert "iommu/arm-smmu: Treat all device transactions as unprivileged"
> common: DMA-mapping: add DMA_ATTR_PRIVILEGED_EXECUTABLE attribute
> arm64/dma-mapping: Implement DMA_ATTR_PRIVILEGED_EXECUTABLE
> dmaengine: pl330: Make sure microcode is privileged-executable
>
> Documentation/DMA-attributes.txt | 9 +++++++++
> arch/arm64/mm/dma-mapping.c | 6 +++---
> drivers/dma/pl330.c | 7 +++++--
> drivers/iommu/arm-smmu.c | 5 +----
> drivers/iommu/dma-iommu.c | 15 +++++++++++----
> drivers/iommu/io-pgtable-arm.c | 16 +++++++++++-----
> include/linux/dma-attrs.h | 1 +
> include/linux/dma-iommu.h | 3 ++-
> include/linux/iommu.h | 1 +
> 9 files changed, 44 insertions(+), 19 deletions(-)
>
WARNING: multiple messages have this Message-ID (diff)
From: robin.murphy@arm.com (Robin Murphy)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 0/6] Add support for privileged mappings
Date: Mon, 11 Jul 2016 15:02:24 +0100 [thread overview]
Message-ID: <5783A6F0.7040903@arm.com> (raw)
In-Reply-To: <20160709020919.6760-1-mitchelh@codeaurora.org>
Hey Mitch,
Thanks for having the necessary go at the DMA API - I think the series
looks broadly workable now.
On 09/07/16 03:09, Mitchel Humpherys wrote:
> The following patch to the ARM SMMU driver:
>
> commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
> Author: Robin Murphy <robin.murphy@arm.com>
> Date: Tue Jan 26 18:06:34 2016 +0000
>
> iommu/arm-smmu: Treat all device transactions as unprivileged
>
> started forcing all SMMU transactions to come through as "unprivileged".
> The rationale given was that:
>
> (1) There is no way in the IOMMU API to even request privileged mappings.
>
> (2) It's difficult to implement a DMA mapper that correctly models the
> ARM VMSAv8 behavior of unprivileged-writeable =>
> privileged-execute-never.
>
> This series rectifies (1) by introducing an IOMMU API for privileged
> mappings and implements it in io-pgtable-arm.
>
> This series rectifies (2) by introducing a new dma attribute
> (DMA_ATTR_PRIVILEGED_EXECUTABLE) for users of the DMA API that need
> privileged, executable mappings, and implements it in the arm64 IOMMU DMA
> mapper. The one known user (pl330.c) is converted over to the new
> attribute.
>
> Jordan and Jeremy can provide more info on the use case if needed, but the
> high level is that it's a security feature to prevent attacks such as [1].
My understanding of that hack is that it involves switching the GPU into
privileged mode to get at the mapping of the IOMMU registers in the
first place, so I don't see at a glance how having privileged mappings
defends against that. What it clearly does do, however, is get us _to_
the point where it's necessary to do such a privilege switch in the
first place, as opposed to everything being trivially wide-open, which
is no bad thing.
Robin.
>
> [1] https://github.com/robclark/kilroy
>
> Changelog:
>
> v1..v2
>
> - Added a new DMA attribute to make executable privileged mappings
> work, and use that in the pl330 driver (suggested by Will).
>
>
> Jeremy Gebben (1):
> iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag
>
> Mitchel Humpherys (5):
> iommu: add IOMMU_PRIV attribute
> Revert "iommu/arm-smmu: Treat all device transactions as unprivileged"
> common: DMA-mapping: add DMA_ATTR_PRIVILEGED_EXECUTABLE attribute
> arm64/dma-mapping: Implement DMA_ATTR_PRIVILEGED_EXECUTABLE
> dmaengine: pl330: Make sure microcode is privileged-executable
>
> Documentation/DMA-attributes.txt | 9 +++++++++
> arch/arm64/mm/dma-mapping.c | 6 +++---
> drivers/dma/pl330.c | 7 +++++--
> drivers/iommu/arm-smmu.c | 5 +----
> drivers/iommu/dma-iommu.c | 15 +++++++++++----
> drivers/iommu/io-pgtable-arm.c | 16 +++++++++++-----
> include/linux/dma-attrs.h | 1 +
> include/linux/dma-iommu.h | 3 ++-
> include/linux/iommu.h | 1 +
> 9 files changed, 44 insertions(+), 19 deletions(-)
>
WARNING: multiple messages have this Message-ID (diff)
From: Robin Murphy <robin.murphy@arm.com>
To: Mitchel Humpherys <mitchelh@codeaurora.org>,
iommu@lists.linux-foundation.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Will Deacon <will.deacon@arm.com>,
Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Jordan Crouse <jcrouse@codeaurora.org>,
Jeremy Gebben <jgebben@codeaurora.org>,
Patrick Daly <pdaly@codeaurora.org>,
Pratik Patel <pratikp@codeaurora.org>
Subject: Re: [PATCH v2 0/6] Add support for privileged mappings
Date: Mon, 11 Jul 2016 15:02:24 +0100 [thread overview]
Message-ID: <5783A6F0.7040903@arm.com> (raw)
In-Reply-To: <20160709020919.6760-1-mitchelh@codeaurora.org>
Hey Mitch,
Thanks for having the necessary go at the DMA API - I think the series
looks broadly workable now.
On 09/07/16 03:09, Mitchel Humpherys wrote:
> The following patch to the ARM SMMU driver:
>
> commit d346180e70b91b3d5a1ae7e5603e65593d4622bc
> Author: Robin Murphy <robin.murphy@arm.com>
> Date: Tue Jan 26 18:06:34 2016 +0000
>
> iommu/arm-smmu: Treat all device transactions as unprivileged
>
> started forcing all SMMU transactions to come through as "unprivileged".
> The rationale given was that:
>
> (1) There is no way in the IOMMU API to even request privileged mappings.
>
> (2) It's difficult to implement a DMA mapper that correctly models the
> ARM VMSAv8 behavior of unprivileged-writeable =>
> privileged-execute-never.
>
> This series rectifies (1) by introducing an IOMMU API for privileged
> mappings and implements it in io-pgtable-arm.
>
> This series rectifies (2) by introducing a new dma attribute
> (DMA_ATTR_PRIVILEGED_EXECUTABLE) for users of the DMA API that need
> privileged, executable mappings, and implements it in the arm64 IOMMU DMA
> mapper. The one known user (pl330.c) is converted over to the new
> attribute.
>
> Jordan and Jeremy can provide more info on the use case if needed, but the
> high level is that it's a security feature to prevent attacks such as [1].
My understanding of that hack is that it involves switching the GPU into
privileged mode to get at the mapping of the IOMMU registers in the
first place, so I don't see at a glance how having privileged mappings
defends against that. What it clearly does do, however, is get us _to_
the point where it's necessary to do such a privilege switch in the
first place, as opposed to everything being trivially wide-open, which
is no bad thing.
Robin.
>
> [1] https://github.com/robclark/kilroy
>
> Changelog:
>
> v1..v2
>
> - Added a new DMA attribute to make executable privileged mappings
> work, and use that in the pl330 driver (suggested by Will).
>
>
> Jeremy Gebben (1):
> iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag
>
> Mitchel Humpherys (5):
> iommu: add IOMMU_PRIV attribute
> Revert "iommu/arm-smmu: Treat all device transactions as unprivileged"
> common: DMA-mapping: add DMA_ATTR_PRIVILEGED_EXECUTABLE attribute
> arm64/dma-mapping: Implement DMA_ATTR_PRIVILEGED_EXECUTABLE
> dmaengine: pl330: Make sure microcode is privileged-executable
>
> Documentation/DMA-attributes.txt | 9 +++++++++
> arch/arm64/mm/dma-mapping.c | 6 +++---
> drivers/dma/pl330.c | 7 +++++--
> drivers/iommu/arm-smmu.c | 5 +----
> drivers/iommu/dma-iommu.c | 15 +++++++++++----
> drivers/iommu/io-pgtable-arm.c | 16 +++++++++++-----
> include/linux/dma-attrs.h | 1 +
> include/linux/dma-iommu.h | 3 ++-
> include/linux/iommu.h | 1 +
> 9 files changed, 44 insertions(+), 19 deletions(-)
>
next prev parent reply other threads:[~2016-07-11 14:02 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-09 2:09 [PATCH v2 0/6] Add support for privileged mappings Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
[not found] ` <20160709020919.6760-1-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
2016-07-09 2:09 ` [PATCH v2 1/6] iommu: add IOMMU_PRIV attribute Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-11 14:08 ` Robin Murphy
2016-07-11 14:08 ` Robin Murphy
2016-07-09 2:09 ` [PATCH v2 2/6] iommu/io-pgtable-arm: add support for the IOMMU_PRIV flag Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
[not found] ` <20160709020919.6760-3-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
2016-07-11 14:14 ` Robin Murphy
2016-07-11 14:14 ` Robin Murphy
2016-07-11 14:14 ` Robin Murphy
2016-07-09 2:09 ` [PATCH v2 3/6] Revert "iommu/arm-smmu: Treat all device transactions as unprivileged" Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
[not found] ` <20160709020919.6760-4-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
2016-07-11 14:20 ` Robin Murphy
2016-07-11 14:20 ` Robin Murphy
2016-07-11 14:20 ` Robin Murphy
2016-07-09 2:09 ` [PATCH v2 4/6] common: DMA-mapping: add DMA_ATTR_PRIVILEGED_EXECUTABLE attribute Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-11 14:46 ` Robin Murphy
2016-07-11 14:46 ` Robin Murphy
2016-07-09 2:09 ` [PATCH v2 5/6] arm64/dma-mapping: Implement DMA_ATTR_PRIVILEGED_EXECUTABLE Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
[not found] ` <20160709020919.6760-6-mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org>
2016-07-11 15:06 ` Robin Murphy
2016-07-11 15:06 ` Robin Murphy
2016-07-11 15:06 ` Robin Murphy
2016-07-09 2:09 ` [PATCH v2 6/6] dmaengine: pl330: Make sure microcode is privileged-executable Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-09 2:09 ` Mitchel Humpherys
2016-07-11 15:23 ` Robin Murphy
2016-07-11 15:23 ` Robin Murphy
2016-07-11 14:02 ` Robin Murphy [this message]
2016-07-11 14:02 ` [PATCH v2 0/6] Add support for privileged mappings Robin Murphy
2016-07-11 14:02 ` Robin Murphy
[not found] ` <5783A6F0.7040903-5wv7dgnIgG8@public.gmane.org>
2016-07-11 15:00 ` Jordan Crouse
2016-07-11 15:00 ` Jordan Crouse
2016-07-11 15:00 ` Jordan Crouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5783A6F0.7040903@arm.com \
--to=robin.murphy-5wv7dgnigg8@public.gmane.org \
--cc=iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=jcrouse-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=jgebben-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=m.szyprowski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=mitchelh-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=pdaly-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=pratikp-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org \
--cc=will.deacon-5wv7dgnIgG8@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.