Message ID | 20190315050418.7788-1-aaron.ma@canonical.com |
---|---|
Headers | show |
Series | iommu: add kernel dma protection | expand |
On 3/15/19 1:04 PM, Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. Regards, Aaron > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. > > Erik Schmauss (1): > ACPICA: AML parser: attempt to continue loading table after error > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (3): > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 +++ > Documentation/admin-guide/thunderbolt.rst | 20 +++++++ > drivers/acpi/acpica/psloop.c | 51 ++++++++++++++++- > drivers/acpi/acpica/psobject.c | 30 ++++++++++ > drivers/acpi/property.c | 11 ++++ > drivers/iommu/dmar.c | 25 +++++++++ > drivers/iommu/intel-iommu.c | 56 ++++++++++++++++++- > drivers/pci/pci-acpi.c | 19 +++++++ > drivers/pci/probe.c | 15 +++++ > drivers/thunderbolt/domain.c | 17 ++++++ > include/linux/dmar.h | 8 +++ > include/linux/pci.h | 8 +++ > 12 files changed, 265 insertions(+), 4 deletions(-) > > -- 2.17.1 > -- kernel-team mailing list kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 2019/3/26 下午3:50, Aaron Ma wrote: > On 3/15/19 1:04 PM, Aaron Ma wrote: >> BugLink: https://bugs.launchpad.net/bugs/1820153 >> >> [Impact] >> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. >> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. >> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. >> >> [Fix] >> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. >> Disable ATS on the untrusted PCI device. >> >> [Test] >> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. >> iommu enabled as expected with this fix. > Verified by QA's full test with a temporary build of bionic-oem kernel. > All test passed on one supported "DMA protection" system and one > non-supported "DMA protection" system. > > Regards, > Aaron Acked-by: Hui Wang <hui.wang@canonical.com> > >> [Regression Potential] >> Upstream fix, Verified on supported platforms, no affection on not supported platforms. >> Backported changes are fairly minimal. >> >> These patches are included in 5.0 kernel, disco is good. >> >> Erik Schmauss (1): >> ACPICA: AML parser: attempt to continue loading table after error >> >> Lu Baolu (1): >> iommu/vt-d: Force IOMMU on for platform opt in hint >> >> Mika Westerberg (3): >> PCI / ACPI: Identify untrusted PCI devices >> iommu/vt-d: Do not enable ATS for untrusted devices >> thunderbolt: Export IOMMU based DMA protection support to userspace >> >> .../ABI/testing/sysfs-bus-thunderbolt | 9 +++ >> Documentation/admin-guide/thunderbolt.rst | 20 +++++++ >> drivers/acpi/acpica/psloop.c | 51 ++++++++++++++++- >> drivers/acpi/acpica/psobject.c | 30 ++++++++++ >> drivers/acpi/property.c | 11 ++++ >> drivers/iommu/dmar.c | 25 +++++++++ >> drivers/iommu/intel-iommu.c | 56 ++++++++++++++++++- >> drivers/pci/pci-acpi.c | 19 +++++++ >> drivers/pci/probe.c | 15 +++++ >> drivers/thunderbolt/domain.c | 17 ++++++ >> include/linux/dmar.h | 8 +++ >> include/linux/pci.h | 8 +++ >> 12 files changed, 265 insertions(+), 4 deletions(-) >> >> -- 2.17.1 >> -- kernel-team mailing list kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team >>
Acked-By: AceLan Kao <acelan.kao@canonical.com>
On 2019-03-15 13:04:13 , Aaron Ma wrote: > BugLink: https://bugs.launchpad.net/bugs/1820153 > > [Impact] > OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. > Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. > Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. > > [Fix] > Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. > Disable ATS on the untrusted PCI device. > > [Test] > Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. > iommu enabled as expected with this fix. > > [Regression Potential] > Upstream fix, Verified on supported platforms, no affection on not supported platforms. > Backported changes are fairly minimal. > > These patches are included in 5.0 kernel, disco is good. > > Erik Schmauss (1): > ACPICA: AML parser: attempt to continue loading table after error > > Lu Baolu (1): > iommu/vt-d: Force IOMMU on for platform opt in hint > > Mika Westerberg (3): > PCI / ACPI: Identify untrusted PCI devices > iommu/vt-d: Do not enable ATS for untrusted devices > thunderbolt: Export IOMMU based DMA protection support to userspace > > .../ABI/testing/sysfs-bus-thunderbolt | 9 +++ > Documentation/admin-guide/thunderbolt.rst | 20 +++++++ > drivers/acpi/acpica/psloop.c | 51 ++++++++++++++++- > drivers/acpi/acpica/psobject.c | 30 ++++++++++ > drivers/acpi/property.c | 11 ++++ > drivers/iommu/dmar.c | 25 +++++++++ > drivers/iommu/intel-iommu.c | 56 ++++++++++++++++++- > drivers/pci/pci-acpi.c | 19 +++++++ > drivers/pci/probe.c | 15 +++++ > drivers/thunderbolt/domain.c | 17 ++++++ > include/linux/dmar.h | 8 +++ > include/linux/pci.h | 8 +++ > 12 files changed, 265 insertions(+), 4 deletions(-) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team