From: Jerome Glisse <jglisse@redhat.com>
To: David Laight <David.Laight@aculab.com>
Cc: Patrick Brunner <brunner@stettbacher.ch>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: IOMMU Page faults when running DMA transfers from PCIe device
Date: Thu, 18 Apr 2019 10:58:32 -0400 [thread overview]
Message-ID: <20190418145832.GC3288@redhat.com> (raw)
In-Reply-To: <7bcd438c9e85449e97554d5248d580ca@AcuMS.aculab.com>
On Thu, Apr 18, 2019 at 09:37:58AM +0000, David Laight wrote:
> From: Jerome Glisse
> > Sent: 16 April 2019 16:33
> ...
> > I am no expert but i am guessing your FPGA set the request field in the
> > PCIE TLP write packet to 00:00.0 and this might work when IOMMU is off but
> > might not work when IOMMU is on ie when IOMMU is on your device should set
> > the request field to the FPGA PCIE id so that the IOMMU knows for which
> > device the PCIE write or read packet is and thus against which IOMMU page
> > table.
>
> Interesting.
> Does that mean that a malicious PCIe device can send write TLP
> that contain the 'wrong' id (IIRC that is bus:dev:fn) and so
> write to areas that it shouldn't access?
Yes it does, they are bunch of paper on that look for IOMMU DMA
attack.
>
> For any degree of security the PCIe bridge nearest the target
> needs to verify the id as well.
> Actually all bridges need to verify the 'bus' part.
> Then boards with 'dodgy' bridges can only write to locations
> that other dev:fn on the same board can access.
Yes they should but it has a cost and AFAIK no bridges, not even
the root port, does that. PCIE bandwidth is big and it means a
lot of packets can go through a PCIE switch or PCIE bridge and
i believe that such PCIE packet inspection have been considered
too costly. Afterall if someone can plug a rogue device to your
computer (ignoring laptop) then he can do more harm with easier
method. FGPA accelerator as PCIE device, might open a door for
clever and _resourceful_ people to try to use them as a remote
vector attack.
Cheers,
Jérôme
prev parent reply other threads:[~2019-04-18 14:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 16:04 IOMMU Page faults when running DMA transfers from PCIe device Patrick Brunner
2019-04-16 15:33 ` Jerome Glisse
2019-04-17 14:17 ` Patrick Brunner
2019-04-17 14:37 ` Jerome Glisse
2019-04-18 9:37 ` David Laight
2019-04-18 14:58 ` Jerome Glisse [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190418145832.GC3288@redhat.com \
--to=jglisse@redhat.com \
--cc=David.Laight@aculab.com \
--cc=brunner@stettbacher.ch \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox