diff mbox series

[v2] iommu/vt-d: Disable ATS support on untrusted devices

Message ID 1553844159-21785-1-git-send-email-aaron.ma@canonical.com
State New
Headers show
Series [v2] iommu/vt-d: Disable ATS support on untrusted devices | expand

Commit Message

Aaron Ma March 29, 2019, 7:22 a.m. UTC
From: Lu Baolu <baolu.lu@linux.intel.com>

BugLink: https://bugs.launchpad.net/bugs/1820153

Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
devices") disables ATS support on the devices which have been marked
as untrusted. Unfortunately this is not enough to fix the DMA attack
vulnerabiltiies because IOMMU driver allows translated requests as
long as a device advertises the ATS capability. Hence a malicious
peripheral device could use this to bypass IOMMU.

This disables the ATS support on untrusted devices by clearing the
internal per-device ATS mark. As the result, IOMMU driver will block
any translated requests from any device marked as untrusted.

Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Suggested-by: Ashok Raj <ashok.raj@intel.com>
Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
(cherry picked from commit d8b8591054575f33237556c32762d54e30774d28)
Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
---
 drivers/iommu/intel-iommu.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Tyler Hicks March 29, 2019, 2:55 p.m. UTC | #1
On 2019-03-29 15:22:39, Aaron Ma wrote:
> From: Lu Baolu <baolu.lu@linux.intel.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1820153
> 
> Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
> devices") disables ATS support on the devices which have been marked
> as untrusted. Unfortunately this is not enough to fix the DMA attack
> vulnerabiltiies because IOMMU driver allows translated requests as
> long as a device advertises the ATS capability. Hence a malicious
> peripheral device could use this to bypass IOMMU.
> 
> This disables the ATS support on untrusted devices by clearing the
> internal per-device ATS mark. As the result, IOMMU driver will block
> any translated requests from any device marked as untrusted.
> 
> Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
> Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
> Suggested-by: Kevin Tian <kevin.tian@intel.com>
> Suggested-by: Ashok Raj <ashok.raj@intel.com>
> Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices")
> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
> Signed-off-by: Joerg Roedel <jroedel@suse.de>
> (cherry picked from commit d8b8591054575f33237556c32762d54e30774d28)
> Signed-off-by: Aaron Ma <aaron.ma@canonical.com>

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Thanks for sending this one along, too.

Tyler

> ---
>  drivers/iommu/intel-iommu.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
> index 1c72434af56d..5ade9ac6d3e8 100644
> --- a/drivers/iommu/intel-iommu.c
> +++ b/drivers/iommu/intel-iommu.c
> @@ -2518,7 +2518,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu,
>  	if (dev && dev_is_pci(dev)) {
>  		struct pci_dev *pdev = to_pci_dev(info->dev);
>  
> -		if (!pci_ats_disabled() &&
> +		if (!pdev->untrusted &&
> +		    !pci_ats_disabled() &&
>  		    ecap_dev_iotlb_support(iommu->ecap) &&
>  		    pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) &&
>  		    dmar_find_matched_atsr_unit(pdev))
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Khaled Elmously April 1, 2019, 4:51 a.m. UTC | #2
Applied 1 more patch to Cosmic (without rebasing)

On 2019-03-29 09:55:18 , Tyler Hicks wrote:
> On 2019-03-29 15:22:39, Aaron Ma wrote:
> > From: Lu Baolu <baolu.lu@linux.intel.com>
> > 
> > BugLink: https://bugs.launchpad.net/bugs/1820153
> > 
> > Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
> > devices") disables ATS support on the devices which have been marked
> > as untrusted. Unfortunately this is not enough to fix the DMA attack
> > vulnerabiltiies because IOMMU driver allows translated requests as
> > long as a device advertises the ATS capability. Hence a malicious
> > peripheral device could use this to bypass IOMMU.
> > 
> > This disables the ATS support on untrusted devices by clearing the
> > internal per-device ATS mark. As the result, IOMMU driver will block
> > any translated requests from any device marked as untrusted.
> > 
> > Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
> > Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
> > Suggested-by: Kevin Tian <kevin.tian@intel.com>
> > Suggested-by: Ashok Raj <ashok.raj@intel.com>
> > Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices")
> > Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
> > Signed-off-by: Joerg Roedel <jroedel@suse.de>
> > (cherry picked from commit d8b8591054575f33237556c32762d54e30774d28)
> > Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
> 
> Acked-by: Tyler Hicks <tyhicks@canonical.com>
> 
> Thanks for sending this one along, too.
> 
> Tyler
> 
> > ---
> >  drivers/iommu/intel-iommu.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
> > index 1c72434af56d..5ade9ac6d3e8 100644
> > --- a/drivers/iommu/intel-iommu.c
> > +++ b/drivers/iommu/intel-iommu.c
> > @@ -2518,7 +2518,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu,
> >  	if (dev && dev_is_pci(dev)) {
> >  		struct pci_dev *pdev = to_pci_dev(info->dev);
> >  
> > -		if (!pci_ats_disabled() &&
> > +		if (!pdev->untrusted &&
> > +		    !pci_ats_disabled() &&
> >  		    ecap_dev_iotlb_support(iommu->ecap) &&
> >  		    pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) &&
> >  		    dmar_find_matched_atsr_unit(pdev))
> > -- 
> > 2.17.1
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 1c72434af56d..5ade9ac6d3e8 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -2518,7 +2518,8 @@  static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu,
 	if (dev && dev_is_pci(dev)) {
 		struct pci_dev *pdev = to_pci_dev(info->dev);
 
-		if (!pci_ats_disabled() &&
+		if (!pdev->untrusted &&
+		    !pci_ats_disabled() &&
 		    ecap_dev_iotlb_support(iommu->ecap) &&
 		    pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) &&
 		    dmar_find_matched_atsr_unit(pdev))