Google Continues Work On Linux "Restricted DMA" For Situations Like Remote WiFi Attacks
Google engineers continue working on the Linux kernel around "Restricted DMA" for helping to protect systems that lack DMA access control for hardware without an IOMMU.
Protected DMA aims to help prevent data leakage or corruption stemming from DMA access to system memory unexpectedly for systems without an IOMMU. One of the lead motivators for this work is due to PCI Express giving full system memory access and there already being proven vulnerabilities like WiFi firmware exploits that could escalate to a full system exploit even remotely via WiFi. Google's Project Zero illustrated such WiFi attacks in 2017.
Now this year it looks like Restricted DMA might be mainlined for helping with systems lacking an IOMMU. Restricted DMA leverages the SWIOTLB (Software Input Output Translation Lookaside Buffer) to bounce streaming DMA in/out of a specially allocated region and does memory allocation from that same region.
With the current implementation, these "restricted DMA pools" as the reserved region for restricted DMA can be specified via the Device Tree with an arbitrary address and length.
The latest Restricted DMA patches for the Linux kernel can be found on the kernel mailing list.
Protected DMA aims to help prevent data leakage or corruption stemming from DMA access to system memory unexpectedly for systems without an IOMMU. One of the lead motivators for this work is due to PCI Express giving full system memory access and there already being proven vulnerabilities like WiFi firmware exploits that could escalate to a full system exploit even remotely via WiFi. Google's Project Zero illustrated such WiFi attacks in 2017.
Now this year it looks like Restricted DMA might be mainlined for helping with systems lacking an IOMMU. Restricted DMA leverages the SWIOTLB (Software Input Output Translation Lookaside Buffer) to bounce streaming DMA in/out of a specially allocated region and does memory allocation from that same region.
Restricted-dma-pool: This indicates a region of memory meant to be used as a pool of restricted DMA buffers for a set of devices. The memory region would be the only region accessible to those devices. When using this, the no-map and reusable properties must not be set, so the operating system can create a virtual mapping that will be used for synchronization. The main purpose for restricted DMA is to mitigate the lack of DMA access control on systems without an IOMMU, which could result in the DMA accessing the system memory at unexpected times and/or unexpected addresses, possibly leading to data leakage or corruption. The feature on its own provides a basic level of protection against the DMA overwriting buffer contents at unexpected times. However, to protect against general data leakage and system memory corruption, the system needs to provide way to restrict the DMA to a predefined memory region.
With the current implementation, these "restricted DMA pools" as the reserved region for restricted DMA can be specified via the Device Tree with an arbitrary address and length.
The latest Restricted DMA patches for the Linux kernel can be found on the kernel mailing list.
Add A Comment