[Kernel-packages] [Bug 1820153] [NEW] [SRU][B/C/OEM]IOMMU: add kernel dma protection

Thu, 14 Mar 2019 22:06:18 -0700 

Public bug reported:

SRU justification:

[Impact]
OS can use IOMMU to defend against DMA attacks from a PCI device like 
thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.

[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.

[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt 
dock station.
iommu enabled as expected with this fix.

[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported 
platforms.
Backported changes are fairly minimal.

These patches are included in 5.0 kernel, disco is good.

** Affects: hwe-next
     Importance: Undecided
     Assignee: AaronMa (mapengyu)
         Status: New

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete


** Tags: originate-from-1807802 sutton

** Tags added: originate-from-1807802 sutton

** Changed in: hwe-next
     Assignee: (unassigned) => AaronMa (mapengyu)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1820153

Title:
  [SRU][B/C/OEM]IOMMU: add kernel dma protection

Status in HWE Next:
  New
Status in linux package in Ubuntu:
  Incomplete

Bug description:
  SRU justification:

  [Impact]
  OS can use IOMMU to defend against DMA attacks from a PCI device like 
thunderbolt one.
  Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
  Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.

  [Fix]
  Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in 
_DSD.
  Disable ATS on the untrusted PCI device.

  [Test]
  Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt 
dock station.
  iommu enabled as expected with this fix.

  [Regression Potential]
  Upstream fix, Verified on supported platforms, no affection on not supported 
platforms.
  Backported changes are fairly minimal.

  These patches are included in 5.0 kernel, disco is good.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to