On Thu, 2 Mar 2017 19:04:06 -0500 Rich Freeman wrote: > On Thu, Mar 2, 2017 at 6:26 PM, Andrew Savchenko <[email protected]> wrote: > > On Thu, 2 Mar 2017 03:42:24 -0500 [email protected] wrote: > >> > >> The IOMMU (theoretically) protects the CPU and memory from rogue > >> devices, such as the hard drive. > > > > No. Any DMA capable device can bypass IOMMU. IOMMU was not > > designed to protect OS from device. > > > > Huh? I thought protection against DMA attacks was half the reason for > an IOMMU in the first place. > > https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit Even the page you cited contains: ``Some units also provide memory protection from faulty or malicious devices.''
Please note the word "some" here. IOMMU was created to restrict OS access to devices (and bring desired guest VM direct hw access when needed). While it may be used the other way around — to protect OS from device — it usually don't work this way, not every IOMMU even supports this. If we'll look further, IOMMU bypass is a part of normal operation of many device drivers: https://lists.gt.net/linux/kernel/365102 Just some real world examples, one can search the web or grep kernel sources for more: https://lwn.net/Articles/144207/ https://lists.ozlabs.org/pipermail/linuxppc-dev/2014-February/115239.html And the funniest stuff: even if IOMMU can be and is configured to sandbox malicious devices, it can be easily bypassed in most real world implementations: https://hal.archives-ouvertes.fr/hal-01419962/document So relying on IOMMU to protect from malicious devices is even more naive than relying on SHA1 for crypto integrity needs. Best regards, Andrew Savchenko
pgpuiLIUE2qve.pgp
Description: PGP signature
