On Wed, Apr 29, 2020 at 01:42:13PM +0800, Lu Baolu
wrote:> On 2020/4/29 12:57, Michael S. Tsirkin wrote:
> > On Wed, Apr 29, 2020 at 10:22:32AM +0800, Lu Baolu wrote:
> > > On 2020/4/29 4:41, Michael S. Tsirkin wrote:
> > > > On Tue, Apr 28, 2020 at 11:19:52PM +0530, Srivatsa Vaddagiri
wrote:
> > > > > * Michael S. Tsirkin<mst at redhat.com>
[2020-04-28 12:17:57]:
> > > > >
> > > > > > Okay, but how is all this virtio specific? For
example, why not allow
> > > > > > separate swiotlbs for any type of device?
> > > > > > For example, this might make sense if a given
device is from a
> > > > > > different, less trusted vendor.
> > > > > Is swiotlb commonly used for multiple devices that may
be on different trust
> > > > > boundaries (and not behind a hardware iommu)?
> > > > Even a hardware iommu does not imply a 100% security from
malicious
> > > > hardware. First lots of people use iommu=pt for performance
reasons.
> > > > Second even without pt, unmaps are often batched, and
sub-page buffers
> > > > might be used for DMA, so we are not 100% protected at all
times.
> > > >
> > >
> > > For untrusted devices, IOMMU is forced on even iommu=pt is used;
> >
> > I think you are talking about untrusted *drivers* like with VFIO.
>
> No. I am talking about untrusted devices like thunderbolt peripherals.
> We always trust drivers hosted in kernel and the DMA APIs are designed
> for them, right?
>
> Please refer to this series.
>
> https://lkml.org/lkml/2019/9/6/39
>
> Best regards,
> baolu
Oh, thanks for that! I didn't realize Linux is doing this.
So it seems that with modern Linux, all one needs
to do on x86 is mark the device as untrusted.
It's already possible to do this with ACPI and with OF - would that be
sufficient for achieving what this patchset is trying to do?
Adding more ways to mark a device as untrusted, and adding
support for more platforms to use bounce buffers
sounds like a reasonable thing to do.
> >
> > On the other hand, I am talking about things like thunderbolt
> > peripherals being less trusted than on-board ones.
>
>
>
> >
> > Or possibly even using swiotlb for specific use-cases where
> > speed is less of an issue.
> >
> > E.g. my wifi is pretty slow anyway, and that card is exposed to
> > malicious actors all the time, put just that behind swiotlb
> > for security, and leave my graphics card with pt since
> > I'm trusting it with secrets anyway.
> >
> >
> > > and
> > > iotlb flush is in strict mode (no batched flushes); ATS is also
not
> > > allowed. Swiotlb is used to protect sub-page buffers since IOMMU
can
> > > only apply page granularity protection. Swiotlb is now used for
devices
> > > from different trust zone.
> > >
> > > Best regards,
> > > baolu
> >
