Message ID | 20190315050744.7952-1-aaron.ma@canonical.com |
---|---|
Headers | show |
Series | iommu: add kernel dma protection | expand |
Acked-by: Hui Wang <hui.wang@canonical.com> On 2019/3/15 下午1:07, Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (4): > ACPI / property: Allow multiple property compatible _DSD entries > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > Documentation/admin-guide/thunderbolt.rst | 20 ++++ > drivers/acpi/property.c | 105 +++++++++++++----- > drivers/acpi/x86/apple.c | 2 +- > drivers/gpio/gpiolib-acpi.c | 2 +- > drivers/iommu/dmar.c | 25 +++++ > drivers/iommu/intel-iommu.c | 56 +++++++++- > drivers/pci/pci-acpi.c | 19 ++++ > drivers/pci/probe.c | 15 +++ > drivers/thunderbolt/domain.c | 17 +++ > include/acpi/acpi_bus.h | 8 +- > include/linux/acpi.h | 9 ++ > include/linux/dmar.h | 8 ++ > include/linux/pci.h | 8 ++ > 14 files changed, 271 insertions(+), 32 deletions(-) >
On 15.03.19 06:07, Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (4): > ACPI / property: Allow multiple property compatible _DSD entries > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > Documentation/admin-guide/thunderbolt.rst | 20 ++++ > drivers/acpi/property.c | 105 +++++++++++++----- > drivers/acpi/x86/apple.c | 2 +- > drivers/gpio/gpiolib-acpi.c | 2 +- > drivers/iommu/dmar.c | 25 +++++ > drivers/iommu/intel-iommu.c | 56 +++++++++- > drivers/pci/pci-acpi.c | 19 ++++ > drivers/pci/probe.c | 15 +++ > drivers/thunderbolt/domain.c | 17 +++ > include/acpi/acpi_bus.h | 8 +- > include/linux/acpi.h | 9 ++ > include/linux/dmar.h | 8 ++ > include/linux/pci.h | 8 ++ > 14 files changed, 271 insertions(+), 32 deletions(-) > For SRU this set looks rather intrusive without a clear statement about the reasons why one would want it backported. Usually a SRU change should fix a bug. This change looks like adding a feature, though I might accept certain reasons why this might be wanted. For Cosmic, I would accept this as is, for Bionic (which looks to be targeted, too, looking at the bug report) I would want to see a bit more reasons and also some positive testing reported on platforms which have no support for this (to explicitly check there are no side effects). Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 2019-03-15 13:07:39 , Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (4): > ACPI / property: Allow multiple property compatible _DSD entries > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > Documentation/admin-guide/thunderbolt.rst | 20 ++++ > drivers/acpi/property.c | 105 +++++++++++++----- > drivers/acpi/x86/apple.c | 2 +- > drivers/gpio/gpiolib-acpi.c | 2 +- > drivers/iommu/dmar.c | 25 +++++ > drivers/iommu/intel-iommu.c | 56 +++++++++- > drivers/pci/pci-acpi.c | 19 ++++ > drivers/pci/probe.c | 15 +++ > drivers/thunderbolt/domain.c | 17 +++ > include/acpi/acpi_bus.h | 8 +- > include/linux/acpi.h | 9 ++ > include/linux/dmar.h | 8 ++ > include/linux/pci.h | 8 ++ > 14 files changed, 271 insertions(+), 32 deletions(-) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2019-03-15 13:07:39, Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. These look good to me but you are missing one fixup: d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices With that, Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (4): > ACPI / property: Allow multiple property compatible _DSD entries > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > Documentation/admin-guide/thunderbolt.rst | 20 ++++ > drivers/acpi/property.c | 105 +++++++++++++----- > drivers/acpi/x86/apple.c | 2 +- > drivers/gpio/gpiolib-acpi.c | 2 +- > drivers/iommu/dmar.c | 25 +++++ > drivers/iommu/intel-iommu.c | 56 +++++++++- > drivers/pci/pci-acpi.c | 19 ++++ > drivers/pci/probe.c | 15 +++ > drivers/thunderbolt/domain.c | 17 +++ > include/acpi/acpi_bus.h | 8 +- > include/linux/acpi.h | 9 ++ > include/linux/dmar.h | 8 ++ > include/linux/pci.h | 8 ++ > 14 files changed, 271 insertions(+), 32 deletions(-) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2019-03-28 17:19:51 , Tyler Hicks wrote: > On 2019-03-15 13:07:39, Aaron Ma wrote: > > BugLink: https://bugs.launchpad.net/bugs/1820153 > > > > [Impact] > > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > > > [Fix] > > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > > Disable ATS on the untrusted PCI device. > > > > [Test] > > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > > iommu enabled as expected with this fix. > > > > [Regression Potential] > > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > > Backported changes are fairly minimal. > > > > These patches are included in 5.0 kernel, disco is good. > > These look good to me but you are missing one fixup: > > d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices > > With that, > > Acked-by: Tyler Hicks <tyhicks@canonical.com> > This patchset was already applied with ACKs from Hui and Stefan. Does anything need to change in regards to this new comment? > Tyler > > > > > Lu Baolu (1): > > iommu/vt-d: Force IOMMU on for platform opt in hint > > > > Mika Westerberg (4): > > ACPI / property: Allow multiple property compatible _DSD entries > > PCI / ACPI: Identify untrusted PCI devices > > iommu/vt-d: Do not enable ATS for untrusted devices > > thunderbolt: Export IOMMU based DMA protection support to userspace > > > > .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > > Documentation/admin-guide/thunderbolt.rst | 20 ++++ > > drivers/acpi/property.c | 105 +++++++++++++----- > > drivers/acpi/x86/apple.c | 2 +- > > drivers/gpio/gpiolib-acpi.c | 2 +- > > drivers/iommu/dmar.c | 25 +++++ > > drivers/iommu/intel-iommu.c | 56 +++++++++- > > drivers/pci/pci-acpi.c | 19 ++++ > > drivers/pci/probe.c | 15 +++ > > drivers/thunderbolt/domain.c | 17 +++ > > include/acpi/acpi_bus.h | 8 +- > > include/linux/acpi.h | 9 ++ > > include/linux/dmar.h | 8 ++ > > include/linux/pci.h | 8 ++ > > 14 files changed, 271 insertions(+), 32 deletions(-) > > > > -- > > 2.17.1 > > > > > > -- > > kernel-team mailing list > > kernel-team@lists.ubuntu.com > > https://lists.ubuntu.com/mailman/listinfo/kernel-team > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 3/29/19 1:58 PM, Khaled Elmously wrote: > On 2019-03-28 17:19:51 , Tyler Hicks wrote: >> On 2019-03-15 13:07:39, Aaron Ma wrote: >>> BugLink: https://bugs.launchpad.net/bugs/1820153 >>> >>> [Impact] >>> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. >>> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. >>> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. >>> >>> [Fix] >>> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. >>> Disable ATS on the untrusted PCI device. >>> >>> [Test] >>> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. >>> iommu enabled as expected with this fix. >>> >>> [Regression Potential] >>> Upstream fix, Verified on supported platforms, no affection on not supported platforms. >>> Backported changes are fairly minimal. >>> >>> These patches are included in 5.0 kernel, disco is good. >> These look good to me but you are missing one fixup: >> >> d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices >> >> With that, >> >> Acked-by: Tyler Hicks <tyhicks@canonical.com> >> > This patchset was already applied with ACKs from Hui and Stefan. > Does anything need to change in regards to this new comment? This patch is merged in 5.1-rc1 after I send out this SRU. I will append one more patch, just cherry-pick. Please let me know if it is fine to do it like this way. Test is done with one additional patch too. Thanks, Aaron > > > >> Tyler >> >>> Lu Baolu (1): >>> iommu/vt-d: Force IOMMU on for platform opt in hint >>> >>> Mika Westerberg (4): >>> ACPI / property: Allow multiple property compatible _DSD entries >>> PCI / ACPI: Identify untrusted PCI devices >>> iommu/vt-d: Do not enable ATS for untrusted devices >>> thunderbolt: Export IOMMU based DMA protection support to userspace >>> >>> .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ >>> Documentation/admin-guide/thunderbolt.rst | 20 ++++ >>> drivers/acpi/property.c | 105 +++++++++++++----- >>> drivers/acpi/x86/apple.c | 2 +- >>> drivers/gpio/gpiolib-acpi.c | 2 +- >>> drivers/iommu/dmar.c | 25 +++++ >>> drivers/iommu/intel-iommu.c | 56 +++++++++- >>> drivers/pci/pci-acpi.c | 19 ++++ >>> drivers/pci/probe.c | 15 +++ >>> drivers/thunderbolt/domain.c | 17 +++ >>> include/acpi/acpi_bus.h | 8 +- >>> include/linux/acpi.h | 9 ++ >>> include/linux/dmar.h | 8 ++ >>> include/linux/pci.h | 8 ++ >>> 14 files changed, 271 insertions(+), 32 deletions(-) >>> >>> -- >>> 2.17.1 >>> >>> >>> -- >>> kernel-team mailing list >>> kernel-team@lists.ubuntu.com >>> https://lists.ubuntu.com/mailman/listinfo/kernel-team >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 2019-03-29 14:32:45 , Aaron Ma wrote: > > > On 3/29/19 1:58 PM, Khaled Elmously wrote: > > On 2019-03-28 17:19:51 , Tyler Hicks wrote: > >> On 2019-03-15 13:07:39, Aaron Ma wrote: > >>> BugLink: https://bugs.launchpad.net/bugs/1820153 > >>> > >>> [Impact] > >>> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > >>> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > >>> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > >>> > >>> [Fix] > >>> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > >>> Disable ATS on the untrusted PCI device. > >>> > >>> [Test] > >>> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > >>> iommu enabled as expected with this fix. > >>> > >>> [Regression Potential] > >>> Upstream fix, Verified on supported platforms, no affection on not supported platforms. > >>> Backported changes are fairly minimal. > >>> > >>> These patches are included in 5.0 kernel, disco is good. > >> These look good to me but you are missing one fixup: > >> > >> d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices > >> > >> With that, > >> > >> Acked-by: Tyler Hicks <tyhicks@canonical.com> > >> > > This patchset was already applied with ACKs from Hui and Stefan. > > Does anything need to change in regards to this new comment? > > This patch is merged in 5.1-rc1 after I send out this SRU. > I will append one more patch, just cherry-pick. > Please let me know if it is fine to do it like this way. > > Test is done with one additional patch too. > That works for me. > Thanks, > Aaron > > > > > > > > > >> Tyler > >> > >>> Lu Baolu (1): > >>> iommu/vt-d: Force IOMMU on for platform opt in hint > >>> > >>> Mika Westerberg (4): > >>> ACPI / property: Allow multiple property compatible _DSD entries > >>> PCI / ACPI: Identify untrusted PCI devices > >>> iommu/vt-d: Do not enable ATS for untrusted devices > >>> thunderbolt: Export IOMMU based DMA protection support to userspace > >>> > >>> .../ABI/testing/sysfs-bus-thunderbolt | 9 ++ > >>> Documentation/admin-guide/thunderbolt.rst | 20 ++++ > >>> drivers/acpi/property.c | 105 +++++++++++++----- > >>> drivers/acpi/x86/apple.c | 2 +- > >>> drivers/gpio/gpiolib-acpi.c | 2 +- > >>> drivers/iommu/dmar.c | 25 +++++ > >>> drivers/iommu/intel-iommu.c | 56 +++++++++- > >>> drivers/pci/pci-acpi.c | 19 ++++ > >>> drivers/pci/probe.c | 15 +++ > >>> drivers/thunderbolt/domain.c | 17 +++ > >>> include/acpi/acpi_bus.h | 8 +- > >>> include/linux/acpi.h | 9 ++ > >>> include/linux/dmar.h | 8 ++ > >>> include/linux/pci.h | 8 ++ > >>> 14 files changed, 271 insertions(+), 32 deletions(-) > >>> > >>> -- > >>> 2.17.1 > >>> > >>> > >>> -- > >>> kernel-team mailing list > >>> kernel-team@lists.ubuntu.com > >>> https://lists.ubuntu.com/mailman/listinfo/kernel-team > >> -- > >> kernel-team mailing list > >> kernel-team@lists.ubuntu.com > >> https://lists.ubuntu.com/mailman/listinfo/kernel-team