ACK/CMNT: [PATCH 0/6] [B]iommu: add kernel dma protection

Tyler Hicks tyhicks at canonical.com
Fri Mar 29 14:57:13 UTC 2019


On 2019-03-29 14:29:36, Aaron Ma wrote:
> 
> 
> On 3/29/19 6:18 AM, Tyler Hicks wrote:
> > On 2019-03-15 13:00:02, Aaron Ma wrote:
> >> BugLink: https://bugs.launchpad.net/bugs/1820153
> >>
> >> [Impact]
> >> OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
> >> Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
> >> Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
> >>
> >> [Fix]
> >> Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
> >> Disable ATS on the untrusted PCI device.
> >>
> >> [Test]
> >> Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
> >> iommu enabled as expected with this fix.
> >>
> >> [Regression Potential]
> >> Upstream fix, Verified on supported platforms, no affection on not supported platforms.
> >> Backported changes are fairly minimal.
> >>
> >> These patches are included in 5.0 kernel, disco is good.
> > I think that bringing these patches back to Bionic is a good thing for
> > desktop security. However, I noticed that you didn't include some
> > fixup patches. I think these should be included:
> > 
> > d8b859105457 iommu/vt-d: Disable ATS support on untrusted devices
> 
> This commit is merged to upstream after I sent out this SRU.
> I will attend this commit in this SRU.
> 
> If you like a v2 let me know please.

Sending the single patch, like you did, is fine with me. Thanks!

> > 73c2a01c52b6 ACPICA: AML Parser: ignore dispatcher error status during table load
> 
> This commit is already merged by "bionic upsream stable update patchset"
> https://lists.ubuntu.com/archives/kernel-team/2019-February/098394.html

Ok, I missed that.

> 
> > a0d5f3b69af7 ACPICA: Drop leading newlines from error messages
> 
> This commit fix changed function "acpi_ut_prefixed_namespace_error"
> which is introduced from v4.16 kernel.
> This part of change in this SRU is dropped when backported.
> 
> So it is safe without this commit.

Thanks for taking a look at that!

Tyler

> 
> Thanks,
> Aaron
> 
> > 
> > With those,
> > 
> > Acked-by: Tyler Hicks <tyhicks at canonical.com>
> > 
> > Tyler
> > 
> >> Erik Schmauss (1):
> >>   ACPICA: AML parser: attempt to continue loading table after error
> >>
> >> Lu Baolu (1):
> >>   iommu/vt-d: Force IOMMU on for platform opt in hint
> >>
> >> Mika Westerberg (4):
> >>   ACPI / property: Allow multiple property compatible _DSD entries
> >>   PCI / ACPI: Identify untrusted PCI devices
> >>   iommu/vt-d: Do not enable ATS for untrusted devices
> >>   thunderbolt: Export IOMMU based DMA protection support to userspace
> >>
> >>  .../ABI/testing/sysfs-bus-thunderbolt         |   9 ++
> >>  Documentation/admin-guide/thunderbolt.rst     |  20 ++++
> >>  drivers/acpi/acpica/psloop.c                  |  51 ++++++++-
> >>  drivers/acpi/acpica/psobject.c                |  30 +++++
> >>  drivers/acpi/property.c                       | 105 +++++++++++++-----
> >>  drivers/acpi/x86/apple.c                      |   2 +-
> >>  drivers/gpio/gpiolib-acpi.c                   |   2 +-
> >>  drivers/iommu/dmar.c                          |  25 +++++
> >>  drivers/iommu/intel-iommu.c                   |  56 +++++++++-
> >>  drivers/pci/pci-acpi.c                        |  19 ++++
> >>  drivers/pci/probe.c                           |  15 +++
> >>  drivers/thunderbolt/domain.c                  |  17 +++
> >>  include/acpi/acpi_bus.h                       |   8 +-
> >>  include/linux/acpi.h                          |   9 ++
> >>  include/linux/dmar.h                          |   8 ++
> >>  include/linux/pci.h                           |   8 ++
> >>  16 files changed, 351 insertions(+), 33 deletions(-)
> >>
> >> -- 
> >> 2.17.1
> >>
> >>
> >> -- 
> >> kernel-team mailing list
> >> kernel-team at lists.ubuntu.com
> >> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list