APPLIED(C)/cmt: [PATCH v2] iommu/vt-d: Disable ATS support on untrusted devices

Khaled Elmously khalid.elmously at canonical.com
Mon Apr 1 04:51:28 UTC 2019 

Applied 1 more patch to Cosmic (without rebasing)

On 2019-03-29 09:55:18 , Tyler Hicks wrote:
> On 2019-03-29 15:22:39, Aaron Ma wrote:
> > From: Lu Baolu <baolu.lu at linux.intel.com>
> > 
> > BugLink: https://bugs.launchpad.net/bugs/1820153
> > 
> > Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
> > devices") disables ATS support on the devices which have been marked
> > as untrusted. Unfortunately this is not enough to fix the DMA attack
> > vulnerabiltiies because IOMMU driver allows translated requests as
> > long as a device advertises the ATS capability. Hence a malicious
> > peripheral device could use this to bypass IOMMU.
> > 
> > This disables the ATS support on untrusted devices by clearing the
> > internal per-device ATS mark. As the result, IOMMU driver will block
> > any translated requests from any device marked as untrusted.
> > 
> > Cc: Jacob Pan <jacob.jun.pan at linux.intel.com>
> > Cc: Mika Westerberg <mika.westerberg at linux.intel.com>
> > Suggested-by: Kevin Tian <kevin.tian at intel.com>
> > Suggested-by: Ashok Raj <ashok.raj at intel.com>
> > Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices")
> > Signed-off-by: Lu Baolu <baolu.lu at linux.intel.com>
> > Signed-off-by: Joerg Roedel <jroedel at suse.de>
> > (cherry picked from commit d8b8591054575f33237556c32762d54e30774d28)
> > Signed-off-by: Aaron Ma <aaron.ma at canonical.com>
> 
> Acked-by: Tyler Hicks <tyhicks at canonical.com>
> 
> Thanks for sending this one along, too.
> 
> Tyler
> 
> > ---
> >  drivers/iommu/intel-iommu.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
> > index 1c72434af56d..5ade9ac6d3e8 100644
> > --- a/drivers/iommu/intel-iommu.c
> > +++ b/drivers/iommu/intel-iommu.c
> > @@ -2518,7 +2518,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu,
> >  	if (dev && dev_is_pci(dev)) {
> >  		struct pci_dev *pdev = to_pci_dev(info->dev);
> >  
> > -		if (!pci_ats_disabled() &&
> > +		if (!pdev->untrusted &&
> > +		    !pci_ats_disabled() &&
> >  		    ecap_dev_iotlb_support(iommu->ecap) &&
> >  		    pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) &&
> >  		    dmar_find_matched_atsr_unit(pdev))
> > -- 
> > 2.17.1
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list