public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Tomas Pilar (tpilar)" <tpilar@solarflare.com>
To: Andrew Fish <afish@apple.com>
Cc: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: Hiding physical memory from OS and VT-d/IOMMU
Date: Fri, 3 Mar 2017 18:03:15 +0000	[thread overview]
Message-ID: <f9d160f5-5768-fa38-9fe8-f189951d1346@solarflare.com> (raw)
In-Reply-To: <8239214C-DAB8-4CED-A683-90DB1AA0DE47@apple.com>

Yeah, I was worried about this.

Thanks,

Tom


On 03/03/17 17:06, Andrew Fish wrote:
>> On Mar 3, 2017, at 8:32 AM, Tomas Pilar (tpilar) <tpilar@solarflare.com> wrote:
>>
>> Hi,
>>
>>
>> I am trying to implement a message-box communication protocol between
>> PCIe devices in the same host without the assistance of the OS. For
>> irreducible reasons, I can't use PCIe endpoint-to-endpoint communication
>> so I thought I could create a DMA based message-box protocol where in
>> UEFI driver probe (during DXE) I blot out some physical memory (by
>> leaking a page of memory allocated as EfiRuntimeServicesData) that the
>> devices will then use to communicate even when the OS loads.
>>
>>
>> This runs into a problem when VT-d/IOMMU is involved because it still
>> stops the device from DMA into that page, even though the OS shouldn't
>> touch the page as it's been allocated using EfiRuntimeServicesData.
>>
>>
>> So my query is: Can I achieve this by allocating the box as a different
>> memory type (such as EfiUnusableMemory or EfiReservedMemoryType) and if
>> not, what would be a better way of doing this?
>>
> No VT-d is designed to stop attacks like yours. By default VT-d blocks all DMA, and only allows DMA when it is properly requested by an OS driver that is trusted.
>
> You need an OS driver to map the DMA region for use by the PCI devices prior to using it on a system with VT-d enabled. If there was a way around this that would be a security bug in the IOMMU that an attacker could exploit.
>
> Thanks,
>
> Andrew Fish
>
>> Cheers,
>>
>> Tom
>>
>> The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error, please notify the sender immediately and delete the message. Unless you are an addressee (or authorized to receive for an addressee), you may not use, copy or disclose to anyone this message or any information contained in this message. The unauthorized use, disclosure, copying or alteration of this message is strictly prohibited.
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel



      reply	other threads:[~2017-03-03 18:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-03 16:32 Hiding physical memory from OS and VT-d/IOMMU Tomas Pilar (tpilar)
2017-03-03 17:06 ` Andrew Fish
2017-03-03 18:03   ` Tomas Pilar (tpilar) [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f9d160f5-5768-fa38-9fe8-f189951d1346@solarflare.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox