Introduce Hardware-Level Device Isolation to Zephyr.pdf

《Introduce Hardware-Level Device Isolation to Zephyr.pdf》由會員分享，可在線閱讀，更多相關《Introduce Hardware-Level Device Isolation to Zephyr.pdf（31頁珍藏版）》請在三個皮匠報告上搜索。

1、#EMBEDDEDOSSUMMITIntroduce Hardware-Level Device Isolation to ZephyrJaxson Han&Huifeng Zhang Arm GitHub:https:/ HanHuifeng ZhangIntroduce Hardware-Level Device Isolation to ZephyrAuthors Background SMMU Zephyr device model Zephyr HW-level device isolation ConclusionContents An observation:o The numb

2、er of DMA devices on Low-power platforms is increasing.IoT industry o More RTOS on high-performance platforms with variety of DMA devices Automotive Industry(high-performance&safety)New challenges for Zephyr:DMA device bypass the system access control?How to restrict DMA devices?More and more DMA de

3、vice drivers on RTOScoreDMA deviceDMA deviceDMA deviceMemoryBackground DMA devices can break the systemo WiFi chip bug1,2,3 permission leaks remote controlo DMA attack4,5,6 steal data or cryptographic keys install or run spyware and other exploits modify the system to allow backdoors or other malwar

4、e More DMA drivers added into ZephyrDMA devices might be buggy or even maliciousHow to restrict DMA devices on Zephyr?1 https:/ https:/ https:/ https:/web.archive.org/web/20160304055745/http:/www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation5 https:/ htt

5、ps:/en.wikipedia.org/wiki/DMA_attackBackground Zephyr uses MMU/MPU to isolate the thread memory regions to protect the system.Why HW-level device isolation is neededCPUThread#1Thread#2MMU/MPUMemoryThread#1 regionsThread#2 regionscontext switchThread#1 memoryThread#2 memoryCPUThread#1Thread#2MMU/MPUM

6、emoryThread#1 regionsThread#2 regionscontext switchThread#1 memoryThread#2 memoryAccess without granted will be deniedBackground However,MMU/MPU can only restrict memory accesses from CPUs.Memory accesses from DMA are NOT protected by MMU/MPU May cause system crash or security issuesWhy HW-level dev

7、ice isolation is neededCPUThreadmem regionsMMU/MPUMemoryDMA deviceMMU/MPU cannotcontrol the accessesfrom DMA deviceThread memoryCPUThreadmem regionsMMU/MPUDMA deviceMMU/MPU wont be aware of that DMA performs a malicious access to the threads memoryMemoryBoomBackground Hardware-level isolation can mi

8、tigate the issueo SMMU(System MMU,Arm)o IOMMU(IO MMU,Intel)o xPPU(Xilinx peripheral protection unit)o Other vendor FireWallo.SMMU support allows systems to share A-profile page tables with peripherals o widely used in Rich OSes(e.g.Linux)and hypervisoro isolate the DMA accesso eliminate the requirem

9、ent for physically contiguous pages for DMA bufferso extend old DMA device access o accelerate virtualizationo be flexible to switch passthrough or virtualizationHow to mitigate the issueBackground But too powerfulo Fully supporting SMMU/IOMMU increases overhead for Zephyro Inappropriate to add SMMU

10、/IOMMU for low-power platforms.increased cost power consuming What we doo Partially enable SMMUv3(as an impl example)for DMA device isolation lower the overhead by using linear mapping(lower TLB miss)isolate every DMA devices to improve the securityo Add a Subsystem interface to manage DMA device is

11、olation easier to use for driver,components and applications to support more hardware-level isolation technologiesHow to mitigate the issueBackground Zephyr as a Virtual Machine Manager(VMM)or a hypervisor?o needs SMMU/IOMMU driver to support the virtualization passthrough,VirtIO or o accelerate the

12、 DMA access Zephyr to support more platforms?o devices require SMMU/IOMMU in some high-performance platformo To support some 32-bit DMA devices on 64-bit platformsWhats more apart from the isolationBackground Background SMMU Zephyr device model Zephyr HW-level device isolation ConclusionContents Sim

13、ilar to MMU:performs address translation and access control But differently:for bus initiators external to the CPU(DMA devices).Multi page-tables to support multi DMA devicesIntroductionCPU#0ThreadMemorymem mapDMA device#0MMU/MPUmem map#0SMMU/IOMMUDMA device#1mem map#1DMA device#nmem map#nCPU#1Threa

14、dmem mapMMU/MPUSMMU SMMU has a stream table,context desc tables and page tables(same with MMU)Access issued from a device contains StreamID,SubStreamID and VA Will output a PA after translationAddress translation for DMA devicesSTE0STE1STE2stream table baseStreamIDEach device is assigned with a Stre

15、amIDPage tableVAPAOutput addressCD0CD1CD0CD1CD2SubStreamIDSubStreamID is used to distinguish the VA space of different processes(usually SSID or PASID as SubStreamID)SMMU Bypass the translation(thus,VA=PA)Bypass Substream ID Reduce translation table level by using block attr(similar with MMU)Support

16、s the 2nd stage translation(VA-IPA-PA)o for hypervisor(virtualization)Configurable capabilitiesVAstage 1 translationor bypassIPAstage 2 translationPAor bypassSMMU With SMMU,Software can isolate DMA devicesIsolate DMA devicesCPUThreadmem regionsMMU/MPUMemoryDMA devicewithout SMMUThread memoryMMU/MPUC

17、PUThreadMemorymem regionsDMA deviceThread memorymem regionsSMMUAllowed memoryConfigure the memory map to isolate the region for DMA device.SMMU Background SMMU Zephyr Device Model Zephyr HW-level device isolation ConclusionContentsOverviewApplicationSubsystem 1Generic Type APIAPI 1API 2API 3Inst 1 o

18、f Dev 1configAPIsdataInst 2 of Dev 1configAPIsdataDev 1 driverAPI Impl 1API Impl 2API Impl 3Subsystem 2Generic Type APIAPI 1API 2API 3Inst 1 of Dev 2configAPIsdataInst 1 of Dev 3configAPIsdataDev 2 driverAPI Impl 2API Impl 1API Impl 3Dev 3 driverAPI Impl 2API Impl 1API Impl 3Device Driver APIsDevice

19、 Driver InstancesDevice Driver Implementationsrefs:https:/docs.zephyrproject.org/latest/_images/device_driver_model.svgZephyr Device Model Subsystemo Defines generic Device Driver APIso simply program for applicationso not specific to any particular driver implementation.Driver Data Structureso hold

20、s Devices data to support multiple devices driver instances Device Driver Implementationso implements a device-independent subsystem APIo fills in the pointer to the Driver Data Structures.Overviewcallimplement ApplicationsZephyr Device Model Single Driver,Multiple InstancesA real example One Driver

21、 implementation with multi device instances:e.g.PL011-uart01Zephyr Device Model Background SMMU Zephyr device model Zephyr HW-level device isolation ConclusionContents The Design:Overview The design:DTS The Subsystem interface The implementation Add latency for DMA operations?Sub ContentsZephyr HW-l

22、evel device IsolationThe Design:OverviewApplicationsZephyr SubsysZephyr driversDriver#1Instance#1Driver#2Instance#2Instance#1ApplicationsZephyr SubsysdriversDriver#1Driver#2SMMUv3SMMUv2IOMMUSMMU DomainsIOMPU/SMPUSMMU map/remapDevice#1 Instance#1Device#1 Instance#2Device#2 Instance#1Zephyr Dev Isolat

23、ion Subsys consists of 2 parts:1)register the devices2)restrict the memory for devicesDomain:Defined an address space.One Domain has one linear space with multi regions.Dev Isolation SubsysAfter the Dev Isolation Subsys and SMMU driver introducedDev Isolation driverZephyr HW-level device Isolation T

24、o make them work,the DTS should provide:o SMMU nodes:compatible base address length/sizeo The DMA devices:o the PCI&dev information SMMU phandle RID base address(BDF on PCI)StreamIDThe design:DTS:PCI device+SMMUv3pci:pci40000000 compatible=pci-host-ecam-generic;reg=;msi-parent=;#address-cells=;#size

25、-cells=;ranges=;smmu-maps=;ahci:ahci0 compatible=ata-ahci;vendor-id=;device-id=;status=okay;smmu:smmu2b400000 compatible=arm,smmu-v3;reg=;#smmu-map-cells=;Zephyr HW-level device Isolation Defines generic APIs for device isolation Simply program for DMA device driver Support multiple implementationo

26、SMMUv3o IOMMU(welcome anyone to contribute)o Easy to add new oneThe Subsystem interfaceSMMUv3smmu_configsmmu_datastatic int smmu_dom_switch()static int smmu_ ctx_alloc()static int smmu_ ctx_free()static int smmu_ map()static int smmu_ unmap()static int smmu_init()static int smmu_queue_xxx()static in

27、t smmu_cmd_xxx()IOMMUiommu_configiommu _datastatic int iommu_dom_switch()static int iommu _ ctx_alloc()static int iommu _ ctx_free()static int iommu _ map()static int iommu _ unmap()static int iommu _init()static int iommu _init_xxx()othersDevIsoAPIint(*dom_switch)()int(*ctx_alloc)()int(*ctx_free)()

28、int(*map)()int(*unmap)()int deviso_dom_switch()int deviso_ ctx_alloc()int deviso_ ctx_free()int deviso_ map()int deviso_ unmap()DMA device driverstaic int xxx_init()ret=deviso_ ctx_alloc(xxx);staic int xxx_transmit()ret=deviso_ map(xxx);Zephyr HW-level device IsolationThe implementation(PoC)DRAM all

29、ocAllowedDMA deviceSMMUSID tblTrans tablemappingCPUZephyrAPPAPPAPPSMMU driverDevIsoAPIDev driversDev driversDev driversMMU/MPU configmatch DMA access Dev driver allocate a DMA buffer for device.Dev driver call DevIsoAPI to map the buffer for the device.Device copy data to DRAM.Zephyr HW-level device

30、 Isolationboard:fvp_base_revc_2xaemv8aDMA dev:PCI+AHCIIsolation driver:SMMUv3The implementation:SMMUv3 control SMMUv3 driver controls the SMMU by sending cmds to SMMU via a cmd queue which is a ring buffer.Zephyr HW-level device Isolation SMMU(lower down the tlb miss):o statically linear address map

31、pingo use block pageo skip sub stream ido appropriately use ATS(Address translation services,platform specific)o try not switch translation tablesAdd latency for DMA operations?Zephyr HW-level device Isolation Background SMMU/IOMMU Zephyr device model Zephyr HW-level device isolation ConclusionConte

32、nts DMA can break the systemobuggyomalicious DMA device+Zephyr RTOS risk is increasingomore DMA on low-power platformsomore RTOS on high-performance platforms Add HW-level device isolation oenable SMMU but lower the overheadoadd subsys for easy extension Future work:osend to upstreamomeasure the latencyConclusionQ&AThank you!