Re: [PATCH V3 02/11] PCI: Lock down BAR access when module securityis enabled
From: David Woodhouse
Date: Wed Sep 04 2013 - 14:58:39 EST
On Wed, 2013-09-04 at 17:04 +0000, Matthew Garrett wrote:
> Do we have in-kernel API to guarantee that a given PCI device is
> actively isolated by an IOMMU such that it can't modify any host kernel
> pages that aren't explicitly intended to be writable by the device? That
> seems to be the biggest constraint.
We don't, but it's not hard to add one if we have a consensus on exactly
what it needs to mean.
> How does virt passthrough work in this case? The current situation
> appears to be that qemu just passes the BARs through to the guest, and
> it's the guest that sets things up. We'd need to be able to ensure that
> there's no way the guest driver can cause DMA into the host kernel.
We set up the IOMMU page tables so that the virtual bus addresses seen
by the PCI device are 1:1 mapped to the guest "physical" address space.
That is, what the PCI device sees as a "physical" address is equivalent
to what the guest sees as a "physical" address space. It can access
memory which belongs to that guest, and nothing else. So that should be
fine.
(Currently, the guest sees no IOMMU. There's just that permanent 1:1
mapping of all of the guest's memory so that it's visible to the device.
We may later implement a virtual IOMMU within qemu, and then we'll have
more dynamic mappings. But the principle will remain the same: PCI
devices assigned to a KVM guest can only 'see' memory pages which belong
to that guest.
> > And there are non-DMA considerations too, aren't there? What about just
> > writing some fun stuff to a memory BAR and then writing to PCI config to
> > map that BAR to an address that we can get executed by kernel code?
>
> Yes, that's why config space is locked down for now.
OK.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature