Announcement

Collapse
No announcement yet.

Many PCI Updates Queued For Linux 4.13

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Many PCI Updates Queued For Linux 4.13

    Phoronix: Many PCI Updates Queued For Linux 4.13

    Bjorn Helgaas has submitted a big batch of PCI updates for the Linux 4.13 kernel merge window...

    http://www.phoronix.com/scan.php?pag...13-PCI-Updates

  • #2
    PCI in ARM SoCs ? Is this new or has it been around already ?

    Comment


    • #3

      Originally posted by Elyotna View Post
      PCI in ARM SoCs ? Is this new or has it been around already ?
      I can't remember how long actual implementations have been around, but this sort of "PCI for ARM" support has been planned for quite a while for the purposes of ARM-based servers.

      Also, keep in mind that Thunderbolt, which is definitely desirable for mobile devices, is basically a PCI-E x4 slot, rerouted to an external connector, with hotplug and some extra multiplexing support required. That's why it presents such an evil maid vulnerability for macbooks. Not only does it support DMA like Firewire, you can attach option ROMs to it.
      Last edited by ssokolow; 07-09-2017, 12:30 PM.

      Comment


      • #4
        Originally posted by ssokolow View Post
        Also, keep in mind that Thunderbolt, which is definitely desirable for mobile devices, is basically a PCI-E x4 slot, rerouted to an external connector, with hotplug and some extra multiplexing support required. That's why it presents such an evil maid vulnerability for macbooks. Not only does it support DMA like Firewire, you can attach option ROMs to it.
        You say that like it's a bad thing. DMA access and option ROMS are very desirable good features. If anything, it proves the need for *physical* security to prevent unwanted access in the scenarios that require that sort of thing. A macbook as in your example does not require the same level of physical security as a bank's ATM machine. Thunderbolt is a feature on a Macbook. It's a vulnerability on a public kiosk. It all depends on the context in which its implemented.

        Comment


        • #5
          Originally posted by Elyotna View Post
          PCI in ARM SoCs ? Is this new or has it been around already ?
          PCI express in ARM stuff is not new. Most routers have wifi chips over pcie (even if they are all soldered on the same board), and there are other devices with usb 3.0 over pcie and whatever.

          ARM is not just in phones and tablets. There you won't find pcie.

          Comment


          • #6
            Originally posted by torsionbar28 View Post
            Thunderbolt is a feature on a Macbook. It's a vulnerability on a public kiosk. It all depends on the context in which its implemented.
            A vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability.

            Systems that allow connecting external devices with DMA without some form of IOMMU are bullshit that should die in a fire regardless of where they are employed.

            Currently, modern ARM stuff has IOMMU or its own equivalents so this won't be an issue in any modern design. Nothing to see citizen, move along.

            If anything, it proves the need for *physical* security to prevent unwanted access in the scenarios that require that sort of thing.
            Yeah, because someone couldn't just ship zillions of cheap infected devices that will be bought by unsuspecting victims that will then get pwnz0red.
            Last edited by starshipeleven; 07-09-2017, 01:28 PM.

            Comment


            • #7
              Originally posted by starshipeleven View Post
              A vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability.

              Systems that allow connecting external devices with DMA without some form of IOMMU are bullshit that should die in a fire regardless of where they are employed.

              Currently, modern ARM stuff has IOMMU or its own equivalents so this won't be an issue in any modern design. Nothing to see citizen, move along.

              Yeah, because someone couldn't just ship zillions of cheap infected devices that will be bought by unsuspecting victims that will then get pwnz0red.
              Why is DMA a bad thing in this case, and how would IOMMU help? (I'm asking because I'm both ignorant and curious. It's okay if you provide links instead of explaining it all yourself.)

              Comment


              • #8
                Originally posted by wdb974 View Post
                Why is DMA a bad thing in this case, and how would IOMMU help? (I'm asking because I'm both ignorant and curious. It's okay if you provide links instead of explaining it all yourself.)
                DMA is Direct Memory Access. While it is very useful (see wikipedia for more details https://en.wikipedia.org/wiki/Direct_memory_access ) it allows any device with such privilege to snoop (and potentially modify) anything in RAM. This is not cool at all. If you let external devices do this it's an easy insta-pwn. See here for some examples http://www.h-online.com/security/new...y-1198476.html but you can google any article about DMA and Firewire or DMA and Thunderbolt to see what can happen.

                IOMMU is Input Output Memory Management Unit, a hardware component (more or less, it needs hardware support for this feature anyway) that allocates a specific chunk of RAM for each device needing DMA and then shows to it ONLY its reserved memory space.
                So any device needing DMA will get access only to its own chunk of memory, and won't be able to see or modify anything else. It's a sandbox, and will stop any abuse mentioned above.

                Technically speaking it also allows devices to deal with 64-bit amounts of memory (they can be assigned memory with addresses beyond 3 GB), which is useful in case the device's controllers are not 64-bit (very common) or not even 32-bit.

                IOMMU is called VT-d in Intel speak, and AMD-Vi (or just IOMMU) in AMD speak. Most of the times it is supported in modern hardware but you usually need to enable it with kernel command line parameters as there is no option for it in UEFI firmware configuration interface. I have no idea about enabling them in Windows.

                EDIT: Also this sandbox allows trickery like passthrough of complex hardware like GPUs and 10Gbit ethernet controllers to VMs and things like that with minimum performance impact.
                Last edited by starshipeleven; 07-09-2017, 06:14 PM.

                Comment


                • #9
                  Originally posted by starshipeleven View Post
                  A vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability is a vulnerability.

                  Systems that allow connecting external devices with DMA without some form of IOMMU are bullshit that should die in a fire regardless of where they are employed.
                  Somebody needs to tell the tier-1 server vendors. All those SAS ports and Fibre Channel ports and Infiniband ports in every datacenter in the world all happily using DMA.
                  Last edited by torsionbar28; 07-09-2017, 08:44 PM.

                  Comment


                  • #10
                    Originally posted by torsionbar28 View Post
                    Somebody needs to tell the tier-1 server vendors. All those SAS ports and Fibre Channel ports and Infiniband ports in every datacenter in the world all happily using DMA.
                    congrats for reading comprehension failure, I didn't say that DMA is bad, but that DMA in absence of IOMMU is bad.

                    Most modern stuff has IOMMU (VT-d in Intel speak), servers got it first because reasons.

                    Comment

                    Working...
                    X