diff --git a/intro.adoc b/intro.adoc index 32fd84f..d34b1ec 100644 --- a/intro.adoc +++ b/intro.adoc @@ -4,9 +4,10 @@ This document describes a mechanism to improve the security of a platform. In a platform, the bus initiators on it can access the target devices, just like a RISC-V hart. The introduction of I/O agents like the DMA (Direct Memory Access Unit) to systems improves performance but exposes the system to vulnerabilities such as DMA attacks. In the RISC-V eco-system, there already exists the PMP/ePMP which provides standard protection scheme for accesses from a RISC-V hart to the physical address space, but there is not a likewise standard for safeguarding non-CPU initiators. Here we propose the Physical Memory Protection Unit of Input/Output Devices, IOPMP for short, to control the accesses issued from the bus initiators. -IOPMP is considered a hardware component in a bus fabric. But why is a pure-software solution not enough? For a RISC-V-based platform, a software solution mainly refers to the security monitor, a program running on the M-mode in charge of handling security-related requests. Once a requirement from another mode asks for a DMA transfer, for example, the security monitor checks if the requirement satisfies all the security rules and then decides whether the requirement is legal. Only a legal requirement will be performed. However, the check could take a long time when the requirement is not as simple as a DMA transfer. A GPU, for example, can take a piece of program to run. Generally, examining whether a program violates access rules is an NP-hard problem. Even though we only consider the average execution time, the latency is not tolerable in most cases. A hardware component that can check accesses on the fly becomes a reasonable solution. That is the subject of this document, IOPMP. - -Another hardware component in a bus matrix, the Input-Output Memory Management Unit (IOMMU), is used to translate a virtual address in a device to a physical address in the bus matrix by one or more stages of page tables. It could be operated in a trusted or untrusted environment and typically is a tool of a hypervisor or an OS. It provides excellent flexibility and reduces external memory fragmentation. However, it may not be an ideal tool for security software running in M-mode because it needs relatively large memory and relatively complicated software compared to a typical security monitor. Besides, the tables are usually stored in the DRAM, which is outside the chip and needs extra protection. For simple systems, this burden may not be affordable. IOPMP, however, consumes much less memory and stores rules inside the chip. Both of them have their own useful areas of application, so IOMMU and IOPMP could coexist and collaborate. IOPMP can be used as a tool for the secure monitor by checking access from devices controlled by other software, while IOMMU can be used by software with richer resources. +IOPMP is considered a hardware component in a bus fabric. But why is a pure-software solution not enough? For a RISC-V-based platform, a software solution mainly refers to the security monitor, a program running on the M-mode in charge of handling security-related requests. Once a requirement from another mode asks for a DMA transfer, for example, the security monitor checks if the requirement satisfies all the security rules and then decides whether the requirement is legal. Only a legal requirement will be performed. However, the check could take a long time when the requirement is not as simple as a DMA transfer. A GPU, for example, can take a piece of program to run. Generally, examining whether a program violates access rules is an NP-hard problem. Even though we only consider the average execution time, the latency is not tolerable in most cases. A hardware component that can check accesses on the fly becomes a reasonable solution. That is the subject of this document, IOPMP. The following figure conceptually demonstrates the integration of IOPMP into a system. .Examplary Integration of IOPMP(s) in System. image::iopmp_system_position.png[] + +Another hardware component in a bus matrix, the Input-Output Memory Management Unit (IOMMU), is used to translate a virtual address in a device to a physical address in the bus matrix by one or more stages of page tables. It could be operated in a trusted or untrusted environment and typically is a tool of a hypervisor or an OS. It provides excellent flexibility and reduces external memory fragmentation. However, it may not be an ideal tool for security software running in M-mode because it needs relatively large memory and relatively complicated software compared to a typical security monitor. Besides, the tables are usually stored in the DRAM, which is outside the chip and needs extra protection. For simple systems, this burden may not be affordable. IOPMP, however, consumes much less memory and stores rules inside the chip. Both of them have their own useful areas of application, so IOMMU and IOPMP could coexist and collaborate. IOPMP can be used as a tool for the secure monitor by checking access from devices controlled by other software, while IOMMU can be used by software with richer resources. +