Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/david_chisnall/statuses/113080317202263142">David Chisnall (david_chisnall@infosec.exchange)'s status on Thursday, 05-Sep-2024 01:56:00 JST</a><a href="https://infosec.exchange/@david_chisnall" title="david_chisnall@infosec.exchange"><img src="https://gnusocial.jp/avatar/241214-48-20240302204654.webp" width="48" height="48" alt="David Chisnall" style="position: absolute; left: 0; top: 0;">David Chisnall</a><div><a href="https://mastodon.social/@cr1901/113080094689961925" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://mastodon.social/@cr1901" rel="nofollow noreferrer">@cr1901</a> The threat model for most IOMMUs relates to VMs.  The earliest ones (at least, outside of mainframes) were actually nothing to do with security, they were there to allow cheap 32-bit NICs to DMA everywhere in a workstation with 8 GiB of RAM, but the Intel, AMD, and Arm designs are all built around virtualisation.</p><p>If you do not use virtualisation, you can still use an IOMMU to restrict which regions of the physical address space a device can write to.  Regions that no device can write to are safe.  Regions that a device can write to cannot be protected from a different device writing to them if the device is malicious.</p><p>If devices are not actively malicious, this is not a problem.  If a kernel decides to set up different IOMMU regions for each device, a bug in a driver that sends the wrong address for DMA will be mitigated.  If a system does device pass-through to a malicious VM and the VM tries to initiate DMA somewhere outside of its pseudophysical (sometimes called Guest Virtual) address space, the IOMMU will stop it.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3614061#notice-7086753">In conversation</a><time datetime="2024-09-05T01:56:00+09:00" title="Thursday, 05-Sep-2024 01:56:00 JST">about 3 months ago</time> <span>from <span><a href="https://infosec.exchange/@david_chisnall/113080317202263142" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@david_chisnall/113080317202263142">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
David Chisnall (david_chisnall@infosec.exchange)'s status on Thursday, 05-Sep-2024 01:56:00 JSTDavid Chisnall
in reply to
- William D. Jones
@cr1901 The threat model for most IOMMUs relates to VMs. The earliest ones (at least, outside of mainframes) were actually nothing to do with security, they were there to allow cheap 32-bit NICs to DMA everywhere in a workstation with 8 GiB of RAM, but the Intel, AMD, and Arm designs are all built around virtualisation.
If you do not use virtualisation, you can still use an IOMMU to restrict which regions of the physical address space a device can write to. Regions that no device can write to are safe. Regions that a device can write to cannot be protected from a different device writing to them if the device is malicious.
If devices are not actively malicious, this is not a problem. If a kernel decides to set up different IOMMU regions for each device, a bug in a driver that sends the wrong address for DMA will be mitigated. If a system does device pass-through to a malicious VM and the VM tries to initiate DMA somewhere outside of its pseudophysical (sometimes called Guest Virtual) address space, the IOMMU will stop it.
In conversationabout 3 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice