Re: [PATCH v8 7/7] iommu/vt-d: Use bounce buffer for untrusted devices

From: Lu Baolu
Date: Mon Sep 02 2019 - 03:17:03 EST

Hi David,

On 8/30/19 9:39 PM, David Laight wrote:
From: Lu Baolu
Sent: 30 August 2019 08:17

The Intel VT-d hardware uses paging for DMA remapping.
The minimum mapped window is a page size. The device
drivers may map buffers not filling the whole IOMMU
window. This allows the device to access to possibly
unrelated memory and a malicious device could exploit
this to perform DMA attacks. To address this, the
Intel IOMMU driver will use bounce pages for those
buffers which don't fill whole IOMMU pages.

Won't this completely kill performance?

I'd expect to see something for dma_alloc_coherent() (etc)
that tries to give the driver page sized buffers.

Bounce page won't be used if driver request page sized buffers.

Either that or the driver could allocate page sized buffers
even though it only passes fragments of these buffers to
the dma functions (to avoid excessive cache invalidates).

Yes, agreed. One possible solution is to add a dma attribution and the
device driver could hint that the buffer under mapping is part of a page
sized buffer and iommu driver don't need to use bounce buffer for it.
This is in the todo list. We need to figure out which device driver
really needs this.

Since you have to trust the driver, why not actually trust it?

In thunderbolt case, we trust driver, but we don't trust the hot-added

Best regards,