ACK/CMNT: [PATCH 0/6] [B]iommu: add kernel dma protection
Aaron Ma
aaron.ma at canonical.com
Fri Mar 29 06:29:36 UTC 2019
On 3/29/19 6:18 AM, Tyler Hicks wrote:
> On 2019-03-15 13:00:02, Aaron Ma wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1820153
>>
>> [Impact]
>> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
>> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
>> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
>>
>> [Fix]
>> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
>> Disable ATS on the untrusted PCI device.
>>
>> [Test]
>> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
>> iommu enabled as expected with this fix.
>>
>> [Regression Potential]
>> Upstream fix, Verified on supported platforms, no affection on not supported platforms.
>> Backported changes are fairly minimal.
>>
>> These patches are included in 5.0 kernel, disco is good.
> I think that bringing these patches back to Bionic is a good thing for
> desktop security. However, I noticed that you didn't include some
> fixup patches. I think these should be included:
>
> d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices
This commit is merged to upstream after I sent out this SRU.
I will attend this commit in this SRU.
If you like a v2 let me know please.
> 73c2a01c52b6 ACPICA: AML Parser: ignore dispatcher error status during table load
This commit is already merged by "bionic upsream stable update patchset"
https://lists.ubuntu.com/archives/kernel-team/2019-February/098394.html
> a0d5f3b69af7 ACPICA: Drop leading newlines from error messages
This commit fix changed function "acpi_ut_prefixed_namespace_error"
which is introduced from v4.16 kernel.
This part of change in this SRU is dropped when backported.
So it is safe without this commit.
Thanks,
Aaron
>
> With those,
>
> Acked-by: Tyler Hicks <tyhicks at canonical.com>
>
> Tyler
>
>> Erik Schmauss (1):
>> ACPICA: AML parser: attempt to continue loading table after error
>>
>> Lu Baolu (1):
>> iommu/vt-d: Force IOMMU on for platform opt in hint
>>
>> Mika Westerberg (4):
>> ACPI / property: Allow multiple property compatible _DSD entries
>> PCI / ACPI: Identify untrusted PCI devices
>> iommu/vt-d: Do not enable ATS for untrusted devices
>> thunderbolt: Export IOMMU based DMA protection support to userspace
>>
>> .../ABI/testing/sysfs-bus-thunderbolt | 9 ++
>> Documentation/admin-guide/thunderbolt.rst | 20 ++++
>> drivers/acpi/acpica/psloop.c | 51 ++++++++-
>> drivers/acpi/acpica/psobject.c | 30 +++++
>> drivers/acpi/property.c | 105 +++++++++++++-----
>> drivers/acpi/x86/apple.c | 2 +-
>> drivers/gpio/gpiolib-acpi.c | 2 +-
>> drivers/iommu/dmar.c | 25 +++++
>> drivers/iommu/intel-iommu.c | 56 +++++++++-
>> drivers/pci/pci-acpi.c | 19 ++++
>> drivers/pci/probe.c | 15 +++
>> drivers/thunderbolt/domain.c | 17 +++
>> include/acpi/acpi_bus.h | 8 +-
>> include/linux/acpi.h | 9 ++
>> include/linux/dmar.h | 8 ++
>> include/linux/pci.h | 8 ++
>> 16 files changed, 351 insertions(+), 33 deletions(-)
>>
>> --
>> 2.17.1
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list