[PATCH 0/5] [Cosmic] iommu: add kernel dma protection
Aaron Ma
aaron.ma at canonical.com
Fri Mar 15 05:07:39 UTC 2019
BugLink: https://bugs.launchpad.net/bugs/1820153
[Impact]
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.
Lu Baolu (1):
iommu/vt-d: Force IOMMU on for platform opt in hint
Mika Westerberg (4):
ACPI / property: Allow multiple property compatible _DSD entries
PCI / ACPI: Identify untrusted PCI devices
iommu/vt-d: Do not enable ATS for untrusted devices
thunderbolt: Export IOMMU based DMA protection support to userspace
.../ABI/testing/sysfs-bus-thunderbolt | 9 ++
Documentation/admin-guide/thunderbolt.rst | 20 ++++
drivers/acpi/property.c | 105 +++++++++++++-----
drivers/acpi/x86/apple.c | 2 +-
drivers/gpio/gpiolib-acpi.c | 2 +-
drivers/iommu/dmar.c | 25 +++++
drivers/iommu/intel-iommu.c | 56 +++++++++-
drivers/pci/pci-acpi.c | 19 ++++
drivers/pci/probe.c | 15 +++
drivers/thunderbolt/domain.c | 17 +++
include/acpi/acpi_bus.h | 8 +-
include/linux/acpi.h | 9 ++
include/linux/dmar.h | 8 ++
include/linux/pci.h | 8 ++
14 files changed, 271 insertions(+), 32 deletions(-)
--
2.17.1
More information about the kernel-team
mailing list