Announcement

Collapse
No announcement yet.

Many PCI Updates Queued For Linux 4.13

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by starshipeleven View Post
    congrats for reading comprehension failure, I didn't say that DMA is bad, but that DMA in absence of IOMMU is bad.

    Most modern stuff has IOMMU (VT-d in Intel speak), servers got it first because reasons.
    Correct, servers support IOMMU, modern ARM stuff has IOMMU, and the Macbook from the previous example also has IOMMU. So what exactly are you ranting about? Where in this thread did someone recommend a machine with DMA but without IOMMU?

    Comment


    • #12
      Originally posted by starshipeleven View Post
      DMA is Direct Memory Access. While it is very useful (see wikipedia for more details https://en.wikipedia.org/wiki/Direct_memory_access ) it allows any device with such privilege to snoop (and potentially modify) anything in RAM. This is not cool at all. If you let external devices do this it's an easy insta-pwn. See here for some examples http://www.h-online.com/security/new...y-1198476.html but you can google any article about DMA and Firewire or DMA and Thunderbolt to see what can happen.

      IOMMU is Input Output Memory Management Unit, a hardware component (more or less, it needs hardware support for this feature anyway) that allocates a specific chunk of RAM for each device needing DMA and then shows to it ONLY its reserved memory space.
      So any device needing DMA will get access only to its own chunk of memory, and won't be able to see or modify anything else. It's a sandbox, and will stop any abuse mentioned above.

      Technically speaking it also allows devices to deal with 64-bit amounts of memory (they can be assigned memory with addresses beyond 3 GB), which is useful in case the device's controllers are not 64-bit (very common) or not even 32-bit.

      IOMMU is called VT-d in Intel speak, and AMD-Vi (or just IOMMU) in AMD speak. Most of the times it is supported in modern hardware but you usually need to enable it with kernel command line parameters as there is no option for it in UEFI firmware configuration interface. I have no idea about enabling them in Windows.

      EDIT: Also this sandbox allows trickery like passthrough of complex hardware like GPUs and 10Gbit ethernet controllers to VMs and things like that with minimum performance impact.
      A thorough reply. Thank you! Now, I understand the big concerns over Firewire several years ago.

      Does this mean I should enable IOMMU in the BIOS? I've kept it disabled because the option's tool tip says that it's only useful for virtualization and might potentially hurt performance otherwise. And since I haven't used VMs in a long while...

      Comment


      • #13
        Originally posted by torsionbar28 View Post
        Where in this thread did someone recommend a machine with DMA but without IOMMU?
        DMA with IOMMU is not a security issue nor a vulnerability. In your post you talk about DMA as if it was a security issue or a vulnerability.
        Hence my assumption that you were talking of DMA without IOMMU.
        Very logic.

        Comment


        • #14
          Originally posted by wdb974 View Post
          A thorough reply. Thank you! Now, I understand the big concerns over Firewire several years ago.

          Does this mean I should enable IOMMU in the BIOS? I've kept it disabled because the option's tool tip says that it's only useful for virtualization and might potentially hurt performance otherwise. And since I haven't used VMs in a long while...
          It depends from what kind of ports you have and how paranoid you are.
          If you have ports that allow DMA from external devices (Firewire and Thunderbolt or 10Gbit ethernet controllers are the only ones you can have) or some special work card (not the usual PC cards, I mean something expensive and doing some special interface job to something else outside the PC) attached on a pcie slot (that allows DMA), then it is better to enable it.

          If you don't have such ports and trust enough the hardware inside your system (anything on PCIe and otherwise inside the system has DMA or can have it if it needs it, ethernet, wifi, gpu, whatever), as it was installed by you or soldered down by the manufacturer, then you can keep it disabled.

          I go full paranoid and keep it enabled everywhere regardless. Afaik there should be no performance hit, and I didn't notice anything unusual on my stuff, but I can't guarantee 100% anything.

          Comment


          • #15
            Originally posted by starshipeleven View Post
            DMA with IOMMU is not a security issue nor a vulnerability. In your post you talk about DMA as if it was a security issue or a vulnerability.
            Hence my assumption that you were talking of DMA without IOMMU.
            Very logic.
            Are you drunk? That's a serious question. I never said or implied that DMA was a vulnerability. Read the thread again from the beginning. ssokolow talked about DMA as a vulnerability, and my response was that it's not - in fact, I'm the only one here who asserted that it's not a vulnerability. Then you jumped in and said DMA is a vulnerability is a vulnerability is a vulnerability blah blah blah....

            You also stated that lack of IOMMU is "bullshit":
            Originally posted by starshipeleven View Post
            Systems that allow connecting external devices with DMA without some form of IOMMU are bullshit that should die in a fire regardless of where they are employed.
            but then shortly thereafter, you flip flopped and said meh it's ok to disable it:
            Originally posted by starshipeleven View Post
            then you can keep it disabled.
            You also made this point about fake hardware and unsuspecting victims:
            Originally posted by starshipeleven View Post
            someone couldn't just ship zillions of cheap infected devices that will be bought by unsuspecting victims that will then get pwnz0red.
            But then flip flopped again and said "if you install it yourself" it's all A-OK to disable IOMMU, as if "self install" and "unsuspecting victim" were mutually exclusive:
            Originally posted by starshipeleven View Post
            ethernet, wifi, gpu, whatever), as it was installed by you ... then you can keep it disabled.
            Lolwhat??
            Last edited by torsionbar28; 07-10-2017, 12:59 PM.

            Comment


            • #16
              Originally posted by torsionbar28 View Post
              Are you drunk? That's a serious question. I never said or implied that DMA was a vulnerability. Read the thread again from the beginning. ssokolow talked about DMA as a vulnerability, and my response was that it's not - in fact, I'm the only one here who asserted that it's not a vulnerability. Then you jumped in and said DMA is a vulnerability is a vulnerability is a vulnerability blah blah blah....
              You said " If anything, it proves the need for *physical* security to prevent unwanted access in the scenarios that require that sort of thing. A macbook as in your example does not require the same level of physical security as a bank's ATM machine. Thunderbolt is a feature on a Macbook. It's a vulnerability on a public kiosk. It all depends on the context in which its implemented. "

              Really, you could have Thunderbolt on ATMs and with IOMMU it would be fine, so now I don't understand what this part was supposed to mean. I read it that on a macbook the security tradeoff is OK while on an ATM (or similar) it is not because of obvious reasons.

              But with IOMMU there is no tradeoff, so I'm confused on what was your point here.

              You also stated that lack of IOMMU is "bullshit": but then shortly thereafter, you flip flopped and said meh it's ok to disable it:
              I said what are the risks and what are various people's approaches to them.

              The main danger are stuff connected from outside ports or esoteric pcie cards doing special jobs, It's much less likely that big OEMs like say ASUS decides to infect their GPUs, laptops or motherboards for lulz (nor is terribly easy for third parties to do so on that scale).

              Really, IOMMU is a security measure meant to protect your stuff, each person should make his own choice just like he chooses what locks he uses to secure his home or whatever by looking at pros and cons.

              Comment

              Working...
              X