ACK/CMNT: [PATCH 0/5] [Cosmic] iommu: add kernel dma protection

Khaled Elmously khalid.elmously at canonical.com
Fri Mar 29 06:37:06 UTC 2019 

On 2019-03-29 14:32:45 , Aaron Ma wrote:
> 
> 
> On 3/29/19 1:58 PM, Khaled Elmously wrote:
> > On 2019-03-28 17:19:51 , Tyler Hicks wrote:
> >> On 2019-03-15 13:07:39, Aaron Ma wrote:
> >>> BugLink: https://bugs.launchpad.net/bugs/1820153
> >>>
> >>> [Impact]
> >>> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
> >>> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
> >>> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
> >>>
> >>> [Fix]
> >>> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
> >>> Disable ATS on the untrusted PCI device.
> >>>
> >>> [Test]
> >>> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
> >>> iommu enabled as expected with this fix.
> >>>
> >>> [Regression Potential]
> >>> Upstream fix, Verified on supported platforms, no affection on not supported platforms.
> >>> Backported changes are fairly minimal.
> >>>
> >>> These patches are included in 5.0 kernel, disco is good.
> >> These look good to me but you are missing one fixup:
> >>
> >> d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices
> >>
> >> With that,
> >>
> >> Acked-by: Tyler Hicks <tyhicks at canonical.com>
> >>
> > This patchset was already applied with ACKs from Hui and Stefan.
> > Does anything need to change in regards to this new comment?
> 
> This patch is merged in 5.1-rc1 after I send out this SRU.
> I will append one more patch, just cherry-pick.
> Please let me know if it is fine to do it like this way.
> 
> Test is done with one additional patch too.
> 

That works for me. 


> Thanks,
> Aaron
> 
> 
> > 
> > 
> > 
> >> Tyler
> >>
> >>> Lu Baolu (1):
> >>>   iommu/vt-d: Force IOMMU on for platform opt in hint
> >>>
> >>> Mika Westerberg (4):
> >>>   ACPI / property: Allow multiple property compatible _DSD entries
> >>>   PCI / ACPI: Identify untrusted PCI devices
> >>>   iommu/vt-d: Do not enable ATS for untrusted devices
> >>>   thunderbolt: Export IOMMU based DMA protection support to userspace
> >>>
> >>>  .../ABI/testing/sysfs-bus-thunderbolt         |   9 ++
> >>>  Documentation/admin-guide/thunderbolt.rst     |  20 ++++
> >>>  drivers/acpi/property.c                       | 105 +++++++++++++-----
> >>>  drivers/acpi/x86/apple.c                      |   2 +-
> >>>  drivers/gpio/gpiolib-acpi.c                   |   2 +-
> >>>  drivers/iommu/dmar.c                          |  25 +++++
> >>>  drivers/iommu/intel-iommu.c                   |  56 +++++++++-
> >>>  drivers/pci/pci-acpi.c                        |  19 ++++
> >>>  drivers/pci/probe.c                           |  15 +++
> >>>  drivers/thunderbolt/domain.c                  |  17 +++
> >>>  include/acpi/acpi_bus.h                       |   8 +-
> >>>  include/linux/acpi.h                          |   9 ++
> >>>  include/linux/dmar.h                          |   8 ++
> >>>  include/linux/pci.h                           |   8 ++
> >>>  14 files changed, 271 insertions(+), 32 deletions(-)
> >>>
> >>> -- 
> >>> 2.17.1
> >>>
> >>>
> >>> -- 
> >>> kernel-team mailing list
> >>> kernel-team at lists.ubuntu.com
> >>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> >> -- 
> >> kernel-team mailing list
> >> kernel-team at lists.ubuntu.com
> >> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list