Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp20268ybg; Mon, 27 Jul 2020 22:02:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylQiLOeSr6dlBoVWP7F9s5onfx3AORc18eWEZU2jbqqBDxVb6UgYKjJmiblafwxXi9aR3f X-Received: by 2002:a17:906:6558:: with SMTP id u24mr22931098ejn.364.1595912545685; Mon, 27 Jul 2020 22:02:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595912545; cv=none; d=google.com; s=arc-20160816; b=iomvg2ine3LpDnLEFTGisdush9FXVS+JVRpW9L0Dj4K9rPBNK+LoHqa81ucrQCCHEn mFmqwWNsOHr5wB0k+3y6k7oWo1f7YlO9VH0vQux2V1HlcITgk6SVo5brndyW1fZsKO60 My+OxZ20FhY8WXbqJi0aL3d7Ibho/+WS2n+wS0y6Qhrt3sTUg7QoMofI9wwjCdzMDSz1 4JRERZKxc2UR/qcBOnjyriXMHrcW9espaaDeTl8k8xt9w6T5x+6bGQ1lPmMVZOeNDvy+ eyqgCeN6mQk7hJnOrEGMLg+u+1OhCUO2nc2ZspzHmE+oBWCP+Kf++qnQVGi4+4ClQ9Id m0aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=pvK0ev5cxRiAMES2LwocRB0zuTfv4RSfxEp+cEikUek=; b=UZ0hnM17olF3zsLJQ7sZU6N6AqSXT6Isad/PlGS453Aco7gOxWOgJtfy0xsMxbtCOT yziY2mrny71iwxiyfuEYIKI6M5vB/lizTK7O0Gj5C99UZ1Jj0VhLeCO0xyWwDuQZDNii HFPDfhW7meA7vgYP1CMm/cHFkfsl6Tu5Ocwas/u0QZL8aTDqnYm+pILQFIDivZLvYPeI HxyCSxIcxWaifM5vN9MZxGfhses1VuByHuN0i6K7n/iouM37QuIJnjXCp4Yrr9eUpuR5 bfSv9J8V3jBVFs29dWH7kqxPB3FSieNGvQ1ZQvpCrlHFJWt10LBBulcK+cbRGSwEb3N9 uc+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QLDIFiwe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h1si96073edn.53.2020.07.27.22.02.02; Mon, 27 Jul 2020 22:02:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=QLDIFiwe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726800AbgG1FBt (ORCPT + 99 others); Tue, 28 Jul 2020 01:01:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726162AbgG1FBs (ORCPT ); Tue, 28 Jul 2020 01:01:48 -0400 Received: from mail-pf1-x443.google.com (mail-pf1-x443.google.com [IPv6:2607:f8b0:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F495C0619D2 for ; Mon, 27 Jul 2020 22:01:47 -0700 (PDT) Received: by mail-pf1-x443.google.com with SMTP id k18so3036729pfp.7 for ; Mon, 27 Jul 2020 22:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pvK0ev5cxRiAMES2LwocRB0zuTfv4RSfxEp+cEikUek=; b=QLDIFiweKFoEeNtrtNBe8Z0TBBcqdWvmwRC0OtwsgH0XE//RxcPxO1+FWIBAKL+8sH H1q/GUF6ztaNV045qC5aYjMEHpRq5cCdo0rh7LuzJ6Bnn0yjqTEbVdeAuqKcj+2sVjb0 IkRwS+zgtBoc84wtK1WEbg6TwcuGvllnZ6mus= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pvK0ev5cxRiAMES2LwocRB0zuTfv4RSfxEp+cEikUek=; b=auNyF04jDy2bICNVEFsPH7ozJcN7ppTqe1sLyi7JT0dw5XgJXaJNr+/C0k9X4kYZCp KaP+bG0X32iywc1D2F5cjVG/ll8rfVoWgc4MPBCFXpeLWB5S310D/GA3L0iVOmPqFmGI qCenXPImkpmLBTj8PKPSXf7FvZT6WOFlHkU0vJHpWRyMYbyYl3ZVqjG4bU5JlCoKCXcX 69nFFQTChi5UV3xyU8RFtQFPa9t2lvZS6pPqNa6odEeTG+S8KZq2quvzysb+s/oyF0jh qFf1lMQcWTRsrnVgnqAYGvc+hQfLox6xreQpetcJflgS+SmZadGJWEbFdlPfvD6ahCA9 9e0Q== X-Gm-Message-State: AOAM533H+y0fCT+D6WCi68ZvudXff/LLeucSRP6UGKiD98VCYAzvbwyI DqdzQ4rdd/XJELF+4+V32dZKQQ== X-Received: by 2002:a62:7958:: with SMTP id u85mr113344pfc.248.1595912506759; Mon, 27 Jul 2020 22:01:46 -0700 (PDT) Received: from localhost ([2401:fa00:1:10:3e52:82ff:fe5e:cc9d]) by smtp.gmail.com with ESMTPSA id mg17sm1278157pjb.55.2020.07.27.22.01.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Jul 2020 22:01:45 -0700 (PDT) From: Claire Chang To: robh+dt@kernel.org, frowand.list@gmail.com, hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com Cc: treding@nvidia.com, gregkh@linuxfoundation.org, saravanak@google.com, suzuki.poulose@arm.com, dan.j.williams@intel.com, heikki.krogerus@linux.intel.com, bgolaszewski@baylibre.com, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org, drinkcat@chromium.org, tfiga@chromium.org, tientzu@chromium.org Subject: [RFC v2 0/5] Restricted DMA Date: Tue, 28 Jul 2020 13:01:35 +0800 Message-Id: <20200728050140.996974-1-tientzu@chromium.org> X-Mailer: git-send-email 2.28.0.rc0.142.g3c755180ce-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This series implements mitigations for lack of DMA access control on systems without an IOMMU, which could result in the DMA accessing the system memory at unexpected times and/or unexpected addresses, possibly leading to data leakage or corruption. For example, we plan to use the PCI-e bus for Wi-Fi on one MTK platform and that PCI-e bus is not behind an IOMMU. As PCI-e, by design, gives the device full access to system memory, a vulnerability in the Wi-Fi firmware could easily escalate to a full system exploit (remote wifi exploits: [1a], [1b] that shows a full chain of exploits; [2], [3]). To mitigate the security concerns, we introduce restricted DMA. The restricted DMA is implemented by per-device swiotlb and coherent memory pools. The feature on its own provides a basic level of protection against the DMA overwriting buffer contents at unexpected times. However, to protect against general data leakage and system memory corruption, the system needs to provide a way to restrict the DMA to a predefined memory region (this is usually done at firmware level, e.g. in ATF on some ARM platforms). [1a] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html [1b] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html [2] https://blade.tencent.com/en/advisories/qualpwn/ [3] https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-highly-popular-firmware-for-wifi-chips/ Claire Chang (5): swiotlb: Add io_tlb_mem struct swiotlb: Add device swiotlb pool swiotlb: Use device swiotlb pool if available dt-bindings: of: Add plumbing for restricted DMA pool of: Add plumbing for restricted DMA pool .../reserved-memory/reserved-memory.txt | 35 ++ drivers/iommu/intel/iommu.c | 8 +- drivers/of/address.c | 39 ++ drivers/of/device.c | 3 + drivers/of/of_private.h | 6 + drivers/xen/swiotlb-xen.c | 4 +- include/linux/device.h | 4 + include/linux/dma-direct.h | 8 +- include/linux/swiotlb.h | 49 +- kernel/dma/direct.c | 8 +- kernel/dma/swiotlb.c | 418 +++++++++++------- 11 files changed, 393 insertions(+), 189 deletions(-) -- v1: https://lore.kernel.org/patchwork/cover/1271660/ Changes in v2: - build on top of swiotlb 2.28.0.rc0.142.g3c755180ce-goog