Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3249132pxb; Mon, 25 Jan 2021 10:39:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJxaGykpZWGw+m0+EDxfYmFmL7Dv8ILwHz9MtVFHBzi8S38bfMI2n9Z8yPlh+IvWeyxljp9a X-Received: by 2002:aa7:d0d4:: with SMTP id u20mr1539545edo.203.1611599943749; Mon, 25 Jan 2021 10:39:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611599943; cv=none; d=google.com; s=arc-20160816; b=AqSP677Q+UKlM7GMnxb2qE8KJD1GwCcjTI7mFB+Le1Gt5uyiltR/aErFDSnr4wz31b THwGGm7CFmLUuW/5CVtetRJK6X9DtLHjdsTazmrUXGLcuYTUgfHUpLsKfSzwfiswlnj0 srtEeGVfhAihx3jYd39qbhwHeCxxbe0uRPpiV/s81LjC/uMRvIx8tYY47AvdJB41wR9P buhKufHT8P2dZX2+8lgwDP5hAnNt7HugPob7unSTnyk58KNNc8bODWPZm/Mc8MN0+GSB eatG99mgQKEQjOZm2h0Jbw4b/d6tTu5hXz5ilQ0RjXQoyJgm4jzqO4M8aqpN+45j9AH9 0PDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=VMRVhIQIXZxzucvozlD6kGt114/L0couPU+fNeFrnDQ=; b=m85Kd4sIzi5K606/7bRCbnT6UI2bPf/ql1ntzp78BEJWPnTgZmU6ZYtcP0MhIeO8mA pi1SwZVUy5OVD72NV+YfuO4TPIYyuER5BTvdITLseeLrYwlfIm0gw1K6hekGygYsiIeu FVLEBvPx4/ugCoghp40wklvlKYsSBFwDboxBfFPjwIkxCdIAC2le0zpEcNcC+CBDHpR1 fIle3M7Vb2yzwQy3tnBXXiC2Z25caMa11uHwAjOMdLKaafk7E1gY1OtpO0KshsKUzXvG b6XABnye3DQsKH1DkGZok/c77u6X4u4H+x3UVG/WpsXR3WIKwEmh6Uwq93jCX0fA25j5 dmNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="B/RNvjvh"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m2si7410187eds.224.2021.01.25.10.38.39; Mon, 25 Jan 2021 10:39:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="B/RNvjvh"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727110AbhAYSfJ (ORCPT + 99 others); Mon, 25 Jan 2021 13:35:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726589AbhAYSeU (ORCPT ); Mon, 25 Jan 2021 13:34:20 -0500 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C38A8C061574; Mon, 25 Jan 2021 10:33:39 -0800 (PST) Received: by mail-ed1-x530.google.com with SMTP id bx12so16670064edb.8; Mon, 25 Jan 2021 10:33:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=VMRVhIQIXZxzucvozlD6kGt114/L0couPU+fNeFrnDQ=; b=B/RNvjvh+qiB40NO59Ij5acibSeJucACNTddOI5YBI8wjrLQZCGM/n6hgYcU5ZoMIc 7el4jsKtS3gTsDSsJodd7O6v+pVrEY2qQP7g4eDvKqFVqVzQPmJ9ki4qnqYZ0Y/AuySn KHW49MzPLDQZXV2BHQT/lLAsDHgQN5CnfKxD6vKy8zy6mDCSXe7IS+isMaR23ExsXdEh CaL9wxe38Vap6EY4cP9j1pr6fUJeLVrJKQAGnhZq7M3SrXQMx3CDXcjUMfnj+rCWX7vS zlpZl4WtEMVhrvjaKj83VXuZpzFOE68uikLW1v51/c81VwAO9DZ3AoOvB8Sqo+bCIELe mbLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=VMRVhIQIXZxzucvozlD6kGt114/L0couPU+fNeFrnDQ=; b=TXbI15oNUEzL8QF9zBttiWRt24F+yyVo8wu+6wtqK6uKgHbjC+QzdefnoUXAgqCbYA scgOC5sXTFDeSpj4Mptn7i12UtvNHvdDb66YhSO9KoVV9tpRtyXWxNLUn7KVoyx2HIBl HFtfD6Pmq+gwEQWrMt9FiO20cXFTC+MrCghWrGuhNQBpmOTKlYtHL0c6TfKNkmFIGdt+ bNNzd8LhD138O/xd5BtfL+ooopjnU/L9LQjOzKfUT39pJBOtcxUTYxAXpuYCrv/Hdzx6 rSknL71Ma0F0R8nSFxacx0rlG4jZyqd6xzo9ESY+0QPHN5xSuF/kHukUUJSbfzZ6bDZA JEnw== X-Gm-Message-State: AOAM530QZ5Rfwa74mykzzRXQjaEYticQCbOxyBDH88zW6vq7UobDALB+ YwkBEiQjV/spjtgJTnEtHEmOJrUa2EMU0xZT X-Received: by 2002:aa7:d4d7:: with SMTP id t23mr1529021edr.321.1611599618531; Mon, 25 Jan 2021 10:33:38 -0800 (PST) Received: from martin (p578aa711.dip0.t-ipconnect.de. [87.138.167.17]) by smtp.gmail.com with ESMTPSA id ce7sm8584140ejb.100.2021.01.25.10.33.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Jan 2021 10:33:37 -0800 (PST) Date: Mon, 25 Jan 2021 19:33:35 +0100 From: Martin Radev To: Konrad Rzeszutek Wilk Cc: Christoph Hellwig , thomas.lendacky@amd.com, file@sect.tu-berlin.de, robert.buhren@sect.tu-berlin.de, kvm@vger.kernel.org, konrad.wilk@oracle.com, mathias.morbitzer@aisec.fraunhofer.de, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, iommu@lists.linux-foundation.org, robin.murphy@arm.com, kirill.shutemov@linux.intel.com Subject: Re: [PATCH] swiotlb: Validate bounce size in the sync/unmap path Message-ID: References: <20210113113017.GA28106@lst.de> <20210118151428.GA72213@fedora> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210118151428.GA72213@fedora> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 18, 2021 at 10:14:28AM -0500, Konrad Rzeszutek Wilk wrote: > On Mon, Jan 18, 2021 at 12:44:58PM +0100, Martin Radev wrote: > > On Wed, Jan 13, 2021 at 12:30:17PM +0100, Christoph Hellwig wrote: > > > On Tue, Jan 12, 2021 at 04:07:29PM +0100, Martin Radev wrote: > > > > The size of the buffer being bounced is not checked if it happens > > > > to be larger than the size of the mapped buffer. Because the size > > > > can be controlled by a device, as it's the case with virtio devices, > > > > this can lead to memory corruption. > > > > > > > > > > I'm really worried about all these hodge podge hacks for not trusted > > > hypervisors in the I/O stack. Instead of trying to harden protocols > > > that are fundamentally not designed for this, how about instead coming > > > up with a new paravirtualized I/O interface that is specifically > > > designed for use with an untrusted hypervisor from the start? > > > > Your comment makes sense but then that would require the cooperation > > of these vendors and the cloud providers to agree on something meaningful. > > I am also not sure whether the end result would be better than hardening > > this interface to catch corruption. There is already some validation in > > unmap path anyway. > > > > Another possibility is to move this hardening to the common virtio code, > > but I think the code may become more complicated there since it would > > require tracking both the dma_addr and length for each descriptor. > > Christoph, > > I've been wrestling with the same thing - this is specific to busted > drivers. And in reality you could do the same thing with a hardware > virtio device (see example in http://thunderclap.io/) - where the > mitigation is 'enable the IOMMU to do its job.'. > > AMD SEV documents speak about utilizing IOMMU to do this (AMD SEV-SNP).. > and while that is great in the future, SEV without IOMMU is now here. > > Doing a full circle here, this issue can be exploited with virtio > but you could say do that with real hardware too if you hacked the > firmware, so if you say used Intel SR-IOV NIC that was compromised > on an AMD SEV machine, and plumbed in the guest - the IOMMU inside > of the guest would be SWIOTLB code. Last line of defense against > bad firmware to say. > > As such I am leaning towards taking this code, but I am worried > about the performance hit .. but perhaps I shouldn't as if you > are using SWIOTLB=force already you are kind of taking a > performance hit? > I have not measured the performance degradation. This will hit all AMD SEV, Intel TDX, IBM Protected Virtualization VMs. I don't expect the hit to be large since there are only few added operations per hundreads of copied bytes. I could try to measure the performance hit by running some benchmark with virtio-net/virtio-blk/virtio-rng. Earlier I said: > > Another possibility is to move this hardening to the common virtio code, > > but I think the code may become more complicated there since it would > > require tracking both the dma_addr and length for each descriptor. Unfortunately, this doesn't make sense. Even if there's validation for the size in the common virtio layer, there will be some other device which controls a dma_addr and length passed to dma_unmap* in the corresponding driver. The device can target a specific dma-mapped private buffer by changing the dma_addr and set a good length to overwrite buffers following it. So, instead of doing the check in every driver and hitting a performance cost even when swiotlb is not used, it's probably better to fix it in swiotlb. @Tom Lendacky, do you think that it makes sense to harden swiotlb or some other approach may be better for the SEV features?