Received: by 10.223.176.46 with SMTP id f43csp2286417wra; Thu, 25 Jan 2018 07:39:37 -0800 (PST) X-Google-Smtp-Source: AH8x226R/XFkuep6ntBC8MugkQLhrGJjTkXsJ/4jJTxCtdKZJkfhyyIu2az1ayhDE6CHR7moAtR6 X-Received: by 10.99.182.68 with SMTP id v4mr13098051pgt.389.1516894776949; Thu, 25 Jan 2018 07:39:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516894776; cv=none; d=google.com; s=arc-20160816; b=atB8bZjndXbY6FxmHN8w/RQFvtMpDTQROtHEaZp1SoM6IWAkvEBWb5sifa4IQkWE+z WkrqRGvzroW/vj5AqvSBE4UhUXILbGS3hdtjGHXqFZQEO/Frsk3FqZC6CM0hKzHPbGl/ PRwG+Rxo7HYiYPFpVNIjB9/8KhOG6GyS/ekf+3Rh9PQHv4eMvktOG7X/yNLwCgcju6+y WExaq4SDUwFSTr/GFS7Jz4owjpbjNa6cUq1cy/k1Xz33+5+Mkf3pc1XYRs6j6uHB6FE4 09RJ5jXVfzeg1E3mRn6756hw3WTQNuIQziroQ6tz7gSKnq6oKZwDB69hmpPndiOtFTlX O/Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=UgwAnzgifTT8jv2smcBhycwGlQ9ACIrJ0/DfCKJ8IOk=; b=WqP6nhbe3SzYEn0hPFG+bGVXeUCjGgZMhO8loReuBQZ5cbDyfLIfQeSwLXpcH7lGmM Z7BH1PbjVfjRdQb4BCzGON1q9SMJrQLcOpPK3diu9Zhx87eppbIzzW/lGtps60asPEtc QGTsXZU2Oe6inwxfTTLa7YFJvlIp9iBciUK9d2sPzztJY/mhhg/QUOBt3l0xuH653r1i VaOoMZWXz0559Ll9FRI3yiev81gLaMlZqdE0xoExrddMGGWK1OUvGysTHoiby3HhSmDK 34M30MsJqOJ/fhINls3W7jMMfzWk8GSTtJqPBeJRIsH3Ao3goh3rZmvxlfrbwavhxNMk t0Wg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si2136524plh.27.2018.01.25.07.39.22; Thu, 25 Jan 2018 07:39:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751338AbeAYPiq (ORCPT + 99 others); Thu, 25 Jan 2018 10:38:46 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35930 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750769AbeAYPin (ORCPT ); Thu, 25 Jan 2018 10:38:43 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 710EDDB943; Thu, 25 Jan 2018 15:38:43 +0000 (UTC) Received: from redhat.com (ovpn-125-83.rdu2.redhat.com [10.10.125.83]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CD9AD5EE1B; Thu, 25 Jan 2018 15:38:41 +0000 (UTC) Date: Thu, 25 Jan 2018 10:38:39 -0500 From: Jerome Glisse To: Boris Lukashev Cc: Igor Stoppa , Jann Horn , Kees Cook , Michal Hocko , Laura Abbott , Christoph Hellwig , Matthew Wilcox , Christoph Lameter , linux-security-module , Linux-MM , kernel list , Kernel Hardening Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory Message-ID: <20180125153839.GA3542@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <6c6a3f47-fc5b-0365-4663-6908ad1fc4a7@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 25 Jan 2018 15:38:43 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 25, 2018 at 10:14:28AM -0500, Boris Lukashev wrote: > On Thu, Jan 25, 2018 at 6:59 AM, Igor Stoppa wrote: [...] > DMA/physmap access coupled with a knowledge of which virtual mappings > are in the physical space should be enough for an attacker to bypass > the gating mechanism this work imposes. Not trivial, but not > impossible. Since there's no way to prevent that sort of access in > current hardware (especially something like a NIC or GPU working > independently of the CPU altogether) I am not saying this is impossible but this is unlikely they are several mecanisms. First you have IOMMU it has been defaulted to on by OEM for last few years (it use to be enabled only on server for virtualization). Which means that a given device only can access memory that is mapped to it through the IOMMU page table (usualy each device get their own distinct IOMMU page table). Then on device like GPU you have an MMU (no GPU without an MMU for the last 10 years or more). The MMU is under the control of the kernel driver of the GPU and for the open source driver we try hard to make sure it can not be abuse and circumvent by userspace ie we restrict userspace process to only access memory they own. I am not saying that this can not happen but that we are trying our best to avoid it. Cheers, J?r?me