Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp212814rwe; Wed, 31 Aug 2022 01:09:19 -0700 (PDT) X-Google-Smtp-Source: AA6agR6HXRQrtEh3VDAVqjgyLJCEksX3Ez9hAEuM2QAle7af1W8aaLsuc1gdxvO+q9mA1vs2qk3e X-Received: by 2002:a17:90a:5d88:b0:1fa:b5c4:608b with SMTP id t8-20020a17090a5d8800b001fab5c4608bmr2059706pji.22.1661933359040; Wed, 31 Aug 2022 01:09:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661933359; cv=none; d=google.com; s=arc-20160816; b=cELdTFK8eGQt6BasWpBJ8Laiwm2AtjZYHyQT3I1hkjQOw/uhY4y3qoTo5ri8vZMK6F ROH7nLKDTKOSB8Nnkrt6NAk+b/dZXUnKIU6D6xQ1G4FMleCpWtMWMujQvbrrZOFEg83X PrsSqNCWduvlXqJRtvHj3/fhRr52fxMdysxSk+07l7ahLTlfVxtCw4Z94mfsAL64N1kj oOVnmjArJcnmCmYNWBqwXFf2vPLwW/r+umEVjoY0bvL5vic5HpGZop7FboZClPfPyZgH uUc6bD4KvQTE30LAocck/qPBSZmdAATQi6/oqpOKYt7AvNQywmcHi6dOHJP7YGxTlyft xKGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=BlWxokSYRvCNjvauu4HTl3WtMYkSLqYbz8jqW8DAa0E=; b=YipQrG22o2QDBnbfJG18dJMM1NQhz7bccaqhqFf0rvL0tzzagWdi7Qtm9IaYupDd58 BuUkP2axEbgn7egusfMVgkqqO05FfPlSseen0gZz7zM4MOI2HxC6bG6xEGXE90hfTaZI 4Fx21ZJ3UsiOje0nwshz4EwOpcH2pW5mwSBdHxJ7tu44jhApKpGvVx3R6jhPuEwYfrJE 0ohlpZ9CJx07UAkBoub5jFRlFQP/ik4OvMW2YpI1V0pA5CQkvfTFxLbZ3lkB3UKr24UB SgUS5C4AMKnbIPXCScyeceiTias6RIIh519wmNVv7R2uFSnaf9Sf5OH5efBrOXX5iPl4 OCWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i190-20020a636dc7000000b004202cb15b7dsi4537775pgc.81.2022.08.31.01.09.08; Wed, 31 Aug 2022 01:09:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229599AbiHaICv (ORCPT + 99 others); Wed, 31 Aug 2022 04:02:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229449AbiHaICp (ORCPT ); Wed, 31 Aug 2022 04:02:45 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C1146B99D3 for ; Wed, 31 Aug 2022 01:02:44 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B043CED1; Wed, 31 Aug 2022 01:02:50 -0700 (PDT) Received: from [10.57.15.237] (unknown [10.57.15.237]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 13CBF3F766; Wed, 31 Aug 2022 01:03:11 -0700 (PDT) Message-ID: <19a47bae-91ff-648c-c407-759468b8af6a@arm.com> Date: Wed, 31 Aug 2022 09:02:35 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Thunderbird/102.2.0 Subject: Re: [PATCH] swiotlb: fix a typo Content-Language: en-GB To: Chao Gao Cc: linux-kernel@vger.kernel.org, iommu@lists.linux.dev, hch@infradead.org, m.szyprowski@samsung.com References: <20220826095046.880626-1-chao.gao@intel.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-08-31 05:22, Chao Gao wrote: > On Tue, Aug 30, 2022 at 10:23:51AM +0100, Robin Murphy wrote: >> On 2022-08-26 10:50, Chao Gao wrote: >>> "overwirte" isn't a word. It should be "overwrite". >>> >>> Signed-off-by: Chao Gao >>> --- >>> BTW, I am wondering if copying the original buffer to the tlb buffer >>> unconditionally will leak the original buffer to the VMM, especially >>> when VMM isn't trusted e.g., by confidential VMs. Would it be better >>> to zero the tlb buffer for dir == DMA_FROM_DEVICE? >> >> No, at the point of dma_map(), the buffer contents are owned by the caller, >> so if parts of that buffer are sensitive and shouldn't be exposed to DMA, >> then don't map the whole buffer for DMA. There are more DMA API >> implementations than SWIOTLB. >> > > I am not sure if all existing drivers ensure that all buffers allocated > for DMA_FROM_DEVICE are zeroed/poisoned so that they don't have sensitive > data before dma_map(). If that isn't the case, bouncing the original contents > (left by the previous user of the buffer) effectively makes the contents > visible to host/VMM. I am afraid it may be a concern for confidential VMs. Sure, and in a scheme where pages can be dynamically shared in-place instead of using SWIOTLB to bounce through a pre-shared buffer, then those same drivers will still expose the same stale data. Similarly, a driver could massively over-map with DMA_TO_DEVICE or DMA_BIDIRECTIONAL and expose all manner of potential secrets that way. It's a concern that cannot be addressed at the DMA API level. Anyone who wants to completely trust drivers not to do anything stupid in a confidential compute scenario is going to have to audit and possibly fix those drivers. Robin.