From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from nbfkord-smmo03.seg.att.com (nbfkord-smmo03.seg.att.com [209.65.160.84]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 01A7282214 for ; Fri, 3 Mar 2017 10:03:25 -0800 (PST) Received: from unknown [193.34.186.16] (EHLO webmail.solarflare.com) by nbfkord-smmo03.seg.att.com(mxl_mta-7.2.4-7) with ESMTP id eefa9b85.2b6367eb2940.5488605.00-2462.12113685.nbfkord-smmo03.seg.att.com (envelope-from ); Fri, 03 Mar 2017 18:03:26 +0000 (UTC) X-MXL-Hash: 58b9afee1007e68b-df7eb3948090b3c56e73ea877b11932b2d344955 Received: from unknown [193.34.186.16] (EHLO webmail.solarflare.com) by nbfkord-smmo03.seg.att.com(mxl_mta-7.2.4-7) over TLS secured channel with ESMTP id befa9b85.0.5488603.00-2268.12113677.nbfkord-smmo03.seg.att.com (envelope-from ); Fri, 03 Mar 2017 18:03:24 +0000 (UTC) X-MXL-Hash: 58b9afec36630fb0-577dfcbd9e045fb0d72a6b87821c7a256b9b9f61 Received: from tp-desktop.uk.solarflarecom.com (10.17.20.51) by ukex01.SolarFlarecom.com (10.17.10.4) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Fri, 3 Mar 2017 18:03:19 +0000 To: Andrew Fish References: <08cbd2c5-5d7e-bdc7-cf74-e5c48edf86c0@solarflare.com> <8239214C-DAB8-4CED-A683-90DB1AA0DE47@apple.com> CC: "edk2-devel@lists.01.org" From: "Tomas Pilar (tpilar)" Message-ID: Date: Fri, 3 Mar 2017 18:03:15 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 MIME-Version: 1.0 In-Reply-To: <8239214C-DAB8-4CED-A683-90DB1AA0DE47@apple.com> X-Originating-IP: [10.17.20.51] X-ClientProxiedBy: ocex03.SolarFlarecom.com (10.20.40.36) To ukex01.SolarFlarecom.com (10.17.10.4) X-TM-AS-Product-Ver: SMEX-11.0.0.1191-8.100.1062-22918.003 X-TM-AS-Result: No--19.286800-0.000000-31 X-TM-AS-User-Approved-Sender: Yes X-TM-AS-User-Blocked-Sender: No X-AnalysisOut: [v=2.1 cv=HuVwbhnS c=1 sm=1 tr=0 a=8P+NB+fYZDP74ap4g4d9Kw==] X-AnalysisOut: [:17 a=uKoR9wHPcrcA:10 a=N659UExz7-8A:10 a=6Iz7jQTuP9IA:10 ] X-AnalysisOut: [a=zRKbQ67AAAAA:8 a=i3X5FwGiAAAA:8 a=_3rc1rOWg8W0DxLl2fkA:9] X-AnalysisOut: [ a=pILNOxqGKmIA:10 a=PA03WX8tBzeizutn5_OT:22 a=mmqRlSCDY2y] X-AnalysisOut: [wfjPLJ4af:22] X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2015072901)] X-MAIL-FROM: X-SOURCE-IP: [193.34.186.16] Subject: Re: Hiding physical memory from OS and VT-d/IOMMU X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2017 18:03:26 -0000 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit Yeah, I was worried about this. Thanks, Tom On 03/03/17 17:06, Andrew Fish wrote: >> On Mar 3, 2017, at 8:32 AM, Tomas Pilar (tpilar) wrote: >> >> Hi, >> >> >> I am trying to implement a message-box communication protocol between >> PCIe devices in the same host without the assistance of the OS. For >> irreducible reasons, I can't use PCIe endpoint-to-endpoint communication >> so I thought I could create a DMA based message-box protocol where in >> UEFI driver probe (during DXE) I blot out some physical memory (by >> leaking a page of memory allocated as EfiRuntimeServicesData) that the >> devices will then use to communicate even when the OS loads. >> >> >> This runs into a problem when VT-d/IOMMU is involved because it still >> stops the device from DMA into that page, even though the OS shouldn't >> touch the page as it's been allocated using EfiRuntimeServicesData. >> >> >> So my query is: Can I achieve this by allocating the box as a different >> memory type (such as EfiUnusableMemory or EfiReservedMemoryType) and if >> not, what would be a better way of doing this? >> > No VT-d is designed to stop attacks like yours. By default VT-d blocks all DMA, and only allows DMA when it is properly requested by an OS driver that is trusted. > > You need an OS driver to map the DMA region for use by the PCI devices prior to using it on a system with VT-d enabled. If there was a way around this that would be a security bug in the IOMMU that an attacker could exploit. > > Thanks, > > Andrew Fish > >> Cheers, >> >> Tom >> >> The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error, please notify the sender immediately and delete the message. Unless you are an addressee (or authorized to receive for an addressee), you may not use, copy or disclose to anyone this message or any information contained in this message. The unauthorized use, disclosure, copying or alteration of this message is strictly prohibited. >> _______________________________________________ >> edk2-devel mailing list >> edk2-devel@lists.01.org >> https://lists.01.org/mailman/listinfo/edk2-devel