[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: hwe-next Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: Fix Released Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux-oem source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux-oem source package in Cosmic: Fix Released Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug was fixed in the package linux-oem - 4.15.0-1036.41 --- linux-oem (4.15.0-1036.41) bionic; urgency=medium * linux-oem: 4.15.0-1036.41 -proposed tracker (LP: #1822803) * Need to add Intel CML related pci-id's (LP: #1821863) - drm/i915/cml: Introduce Comet Lake PCH - drm/i915/cml: Add CML PCI IDS * [SRU] [B/OEM] Fix ACPI bug that causes boot failure (LP: #1819921) - SAUCE: ACPI / bus: Add some Lenovo laptops in list of acpi table term list * Miscellaneous Ubuntu changes - [Config] update configs following rebase to 4.15.0-48.51 [ Ubuntu: 4.15.0-48.51 ] * linux: 4.15.0-48.51 -proposed tracker (LP: #1822820) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] resync retpoline extraction * 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes triggers system hang on i386 (LP: #1812845) - btrfs: raid56: properly unmap parity page in finish_parity_scrub() * [P9][LTCTest][Opal][FW910] cpupower monitor shows multiple stop Idle_Stats (LP: #1719545) - cpupower : Fix header name to read idle state name * [amdgpu] screen corruption when using touchpad (LP: #1818617) - drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3) - drm/amdgpu: Free VGA stolen memory as soon as possible. * [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153) - ACPICA: AML parser: attempt to continue loading table after error - ACPI / property: Allow multiple property compatible _DSD entries - PCI / ACPI: Identify untrusted PCI devices - iommu/vt-d: Force IOMMU on for platform opt in hint - iommu/vt-d: Do not enable ATS for untrusted devices - thunderbolt: Export IOMMU based DMA protection support to userspace - iommu/vt-d: Disable ATS support on untrusted devices * Add basic support to NVLink2 passthrough (LP: #1819989) - powerpc/powernv/npu: Do not try invalidating 32bit table when 64bit table is enabled - powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_SYSTEM_RESET - powerpc/powernv: Export opal_check_token symbol - powerpc/powernv: Make possible for user to force a full ipl cec reboot - powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn - powerpc/powernv: Move npu struct from pnv_phb to pci_controller - powerpc/powernv/npu: Move OPAL calls away from context manipulation - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation - powerpc/pseries/npu: Enable platform support - powerpc/pseries: Remove IOMMU API support for non-LPAR systems - powerpc/powernv/npu: Check mmio_atsd array bounds when populating - powerpc/powernv/npu: Fault user page into the hypervisor's pagetable * Huawei Hi1822 NIC has poor performance (LP: #1820187) - net-next: hinic: fix a problem in free_tx_poll() - hinic: remove ndo_poll_controller - net-next/hinic: add checksum offload and TSO support - hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4 - net-next/hinic:replace multiply and division operators - net-next/hinic:add rx checksum offload for HiNIC - net-next/hinic:fix a bug in set mac address - net-next/hinic: fix a bug in rx data flow - net: hinic: fix null pointer dereference on pointer hwdev - hinic: optmize rx refill buffer mechanism - net-next/hinic:add shutdown callback - net-next/hinic: replace disable_irq_nosync/enable_irq * [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881) - Fonts: New Terminus large console font - [Config]: enable highdpi Terminus 16x32 font support * [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892) - s390/qeth: report 25Gbit link speed * CVE-2017-5754 - x86/nmi: Fix NMI uaccess race against CR3 switching - x86/mm: Fix documentation of module mapping range with 4-level paging - x86/pti: Enable global pages for shared areas - x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image - x86/pti: Leave kernel text global for !PCID - x86/pti: Fix boot problems from Global-bit setting - x86/pti: Fix boot warning from Global-bit setting - x86/pti: Reduce amount of kernel text allowed to be Global - x86/pti: Disallow global kernel text with RANDSTRUCT - x86/entry/32: Add explicit 'l' instruction suffix - x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c - x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack - x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler - x86/entry/32: Put ESPFIX code into a macro - x86/entry/32: Unshare NMI return path - x86/entry/32: Split off return-to-kernel path - x86/entry/32: Enter the kernel via trampoline stack - x86/entry/32: Leave the kernel via trampoline stack - x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI - x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack - x86/entry/32:
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug was fixed in the package linux-oem - 4.15.0-1036.41 --- linux-oem (4.15.0-1036.41) bionic; urgency=medium * linux-oem: 4.15.0-1036.41 -proposed tracker (LP: #1822803) * Need to add Intel CML related pci-id's (LP: #1821863) - drm/i915/cml: Introduce Comet Lake PCH - drm/i915/cml: Add CML PCI IDS * [SRU] [B/OEM] Fix ACPI bug that causes boot failure (LP: #1819921) - SAUCE: ACPI / bus: Add some Lenovo laptops in list of acpi table term list * Miscellaneous Ubuntu changes - [Config] update configs following rebase to 4.15.0-48.51 [ Ubuntu: 4.15.0-48.51 ] * linux: 4.15.0-48.51 -proposed tracker (LP: #1822820) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] resync retpoline extraction * 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes triggers system hang on i386 (LP: #1812845) - btrfs: raid56: properly unmap parity page in finish_parity_scrub() * [P9][LTCTest][Opal][FW910] cpupower monitor shows multiple stop Idle_Stats (LP: #1719545) - cpupower : Fix header name to read idle state name * [amdgpu] screen corruption when using touchpad (LP: #1818617) - drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3) - drm/amdgpu: Free VGA stolen memory as soon as possible. * [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153) - ACPICA: AML parser: attempt to continue loading table after error - ACPI / property: Allow multiple property compatible _DSD entries - PCI / ACPI: Identify untrusted PCI devices - iommu/vt-d: Force IOMMU on for platform opt in hint - iommu/vt-d: Do not enable ATS for untrusted devices - thunderbolt: Export IOMMU based DMA protection support to userspace - iommu/vt-d: Disable ATS support on untrusted devices * Add basic support to NVLink2 passthrough (LP: #1819989) - powerpc/powernv/npu: Do not try invalidating 32bit table when 64bit table is enabled - powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_SYSTEM_RESET - powerpc/powernv: Export opal_check_token symbol - powerpc/powernv: Make possible for user to force a full ipl cec reboot - powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn - powerpc/powernv: Move npu struct from pnv_phb to pci_controller - powerpc/powernv/npu: Move OPAL calls away from context manipulation - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation - powerpc/pseries/npu: Enable platform support - powerpc/pseries: Remove IOMMU API support for non-LPAR systems - powerpc/powernv/npu: Check mmio_atsd array bounds when populating - powerpc/powernv/npu: Fault user page into the hypervisor's pagetable * Huawei Hi1822 NIC has poor performance (LP: #1820187) - net-next: hinic: fix a problem in free_tx_poll() - hinic: remove ndo_poll_controller - net-next/hinic: add checksum offload and TSO support - hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4 - net-next/hinic:replace multiply and division operators - net-next/hinic:add rx checksum offload for HiNIC - net-next/hinic:fix a bug in set mac address - net-next/hinic: fix a bug in rx data flow - net: hinic: fix null pointer dereference on pointer hwdev - hinic: optmize rx refill buffer mechanism - net-next/hinic:add shutdown callback - net-next/hinic: replace disable_irq_nosync/enable_irq * [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881) - Fonts: New Terminus large console font - [Config]: enable highdpi Terminus 16x32 font support * [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892) - s390/qeth: report 25Gbit link speed * CVE-2017-5754 - x86/nmi: Fix NMI uaccess race against CR3 switching - x86/mm: Fix documentation of module mapping range with 4-level paging - x86/pti: Enable global pages for shared areas - x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image - x86/pti: Leave kernel text global for !PCID - x86/pti: Fix boot problems from Global-bit setting - x86/pti: Fix boot warning from Global-bit setting - x86/pti: Reduce amount of kernel text allowed to be Global - x86/pti: Disallow global kernel text with RANDSTRUCT - x86/entry/32: Add explicit 'l' instruction suffix - x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c - x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack - x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler - x86/entry/32: Put ESPFIX code into a macro - x86/entry/32: Unshare NMI return path - x86/entry/32: Split off return-to-kernel path - x86/entry/32: Enter the kernel via trampoline stack - x86/entry/32: Leave the kernel via trampoline stack - x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI - x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack - x86/entry/32:
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug was fixed in the package linux-oem - 4.15.0-1036.41 --- linux-oem (4.15.0-1036.41) bionic; urgency=medium * linux-oem: 4.15.0-1036.41 -proposed tracker (LP: #1822803) * Need to add Intel CML related pci-id's (LP: #1821863) - drm/i915/cml: Introduce Comet Lake PCH - drm/i915/cml: Add CML PCI IDS * [SRU] [B/OEM] Fix ACPI bug that causes boot failure (LP: #1819921) - SAUCE: ACPI / bus: Add some Lenovo laptops in list of acpi table term list * Miscellaneous Ubuntu changes - [Config] update configs following rebase to 4.15.0-48.51 [ Ubuntu: 4.15.0-48.51 ] * linux: 4.15.0-48.51 -proposed tracker (LP: #1822820) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] resync retpoline extraction * 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes triggers system hang on i386 (LP: #1812845) - btrfs: raid56: properly unmap parity page in finish_parity_scrub() * [P9][LTCTest][Opal][FW910] cpupower monitor shows multiple stop Idle_Stats (LP: #1719545) - cpupower : Fix header name to read idle state name * [amdgpu] screen corruption when using touchpad (LP: #1818617) - drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3) - drm/amdgpu: Free VGA stolen memory as soon as possible. * [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153) - ACPICA: AML parser: attempt to continue loading table after error - ACPI / property: Allow multiple property compatible _DSD entries - PCI / ACPI: Identify untrusted PCI devices - iommu/vt-d: Force IOMMU on for platform opt in hint - iommu/vt-d: Do not enable ATS for untrusted devices - thunderbolt: Export IOMMU based DMA protection support to userspace - iommu/vt-d: Disable ATS support on untrusted devices * Add basic support to NVLink2 passthrough (LP: #1819989) - powerpc/powernv/npu: Do not try invalidating 32bit table when 64bit table is enabled - powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_SYSTEM_RESET - powerpc/powernv: Export opal_check_token symbol - powerpc/powernv: Make possible for user to force a full ipl cec reboot - powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn - powerpc/powernv: Move npu struct from pnv_phb to pci_controller - powerpc/powernv/npu: Move OPAL calls away from context manipulation - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation - powerpc/pseries/npu: Enable platform support - powerpc/pseries: Remove IOMMU API support for non-LPAR systems - powerpc/powernv/npu: Check mmio_atsd array bounds when populating - powerpc/powernv/npu: Fault user page into the hypervisor's pagetable * Huawei Hi1822 NIC has poor performance (LP: #1820187) - net-next: hinic: fix a problem in free_tx_poll() - hinic: remove ndo_poll_controller - net-next/hinic: add checksum offload and TSO support - hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4 - net-next/hinic:replace multiply and division operators - net-next/hinic:add rx checksum offload for HiNIC - net-next/hinic:fix a bug in set mac address - net-next/hinic: fix a bug in rx data flow - net: hinic: fix null pointer dereference on pointer hwdev - hinic: optmize rx refill buffer mechanism - net-next/hinic:add shutdown callback - net-next/hinic: replace disable_irq_nosync/enable_irq * [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881) - Fonts: New Terminus large console font - [Config]: enable highdpi Terminus 16x32 font support * [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892) - s390/qeth: report 25Gbit link speed * CVE-2017-5754 - x86/nmi: Fix NMI uaccess race against CR3 switching - x86/mm: Fix documentation of module mapping range with 4-level paging - x86/pti: Enable global pages for shared areas - x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image - x86/pti: Leave kernel text global for !PCID - x86/pti: Fix boot problems from Global-bit setting - x86/pti: Fix boot warning from Global-bit setting - x86/pti: Reduce amount of kernel text allowed to be Global - x86/pti: Disallow global kernel text with RANDSTRUCT - x86/entry/32: Add explicit 'l' instruction suffix - x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c - x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack - x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler - x86/entry/32: Put ESPFIX code into a macro - x86/entry/32: Unshare NMI return path - x86/entry/32: Split off return-to-kernel path - x86/entry/32: Enter the kernel via trampoline stack - x86/entry/32: Leave the kernel via trampoline stack - x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI - x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack - x86/entry/32:
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug was fixed in the package linux - 4.15.0-48.51 --- linux (4.15.0-48.51) bionic; urgency=medium * linux: 4.15.0-48.51 -proposed tracker (LP: #1822820) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] resync retpoline extraction * 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes triggers system hang on i386 (LP: #1812845) - btrfs: raid56: properly unmap parity page in finish_parity_scrub() * [P9][LTCTest][Opal][FW910] cpupower monitor shows multiple stop Idle_Stats (LP: #1719545) - cpupower : Fix header name to read idle state name * [amdgpu] screen corruption when using touchpad (LP: #1818617) - drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3) - drm/amdgpu: Free VGA stolen memory as soon as possible. * [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153) - ACPICA: AML parser: attempt to continue loading table after error - ACPI / property: Allow multiple property compatible _DSD entries - PCI / ACPI: Identify untrusted PCI devices - iommu/vt-d: Force IOMMU on for platform opt in hint - iommu/vt-d: Do not enable ATS for untrusted devices - thunderbolt: Export IOMMU based DMA protection support to userspace - iommu/vt-d: Disable ATS support on untrusted devices * Add basic support to NVLink2 passthrough (LP: #1819989) - powerpc/powernv/npu: Do not try invalidating 32bit table when 64bit table is enabled - powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_SYSTEM_RESET - powerpc/powernv: Export opal_check_token symbol - powerpc/powernv: Make possible for user to force a full ipl cec reboot - powerpc/powernv/idoa: Remove unnecessary pcidev from pci_dn - powerpc/powernv: Move npu struct from pnv_phb to pci_controller - powerpc/powernv/npu: Move OPAL calls away from context manipulation - powerpc/pseries/iommu: Use memory@ nodes in max RAM address calculation - powerpc/pseries/npu: Enable platform support - powerpc/pseries: Remove IOMMU API support for non-LPAR systems - powerpc/powernv/npu: Check mmio_atsd array bounds when populating - powerpc/powernv/npu: Fault user page into the hypervisor's pagetable * Huawei Hi1822 NIC has poor performance (LP: #1820187) - net-next: hinic: fix a problem in free_tx_poll() - hinic: remove ndo_poll_controller - net-next/hinic: add checksum offload and TSO support - hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4 - net-next/hinic:replace multiply and division operators - net-next/hinic:add rx checksum offload for HiNIC - net-next/hinic:fix a bug in set mac address - net-next/hinic: fix a bug in rx data flow - net: hinic: fix null pointer dereference on pointer hwdev - hinic: optmize rx refill buffer mechanism - net-next/hinic:add shutdown callback - net-next/hinic: replace disable_irq_nosync/enable_irq * [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881) - Fonts: New Terminus large console font - [Config]: enable highdpi Terminus 16x32 font support * [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892) - s390/qeth: report 25Gbit link speed * CVE-2017-5754 - x86/nmi: Fix NMI uaccess race against CR3 switching - x86/mm: Fix documentation of module mapping range with 4-level paging - x86/pti: Enable global pages for shared areas - x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image - x86/pti: Leave kernel text global for !PCID - x86/pti: Fix boot problems from Global-bit setting - x86/pti: Fix boot warning from Global-bit setting - x86/pti: Reduce amount of kernel text allowed to be Global - x86/pti: Disallow global kernel text with RANDSTRUCT - x86/entry/32: Add explicit 'l' instruction suffix - x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c - x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack - x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler - x86/entry/32: Put ESPFIX code into a macro - x86/entry/32: Unshare NMI return path - x86/entry/32: Split off return-to-kernel path - x86/entry/32: Enter the kernel via trampoline stack - x86/entry/32: Leave the kernel via trampoline stack - x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI - x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack - x86/entry/32: Simplify debug entry point - x86/entry/32: Add PTI cr3 switch to non-NMI entry/exit points - x86/entry/32: Add PTI CR3 switches to NMI handler code - x86/entry: Rename update_sp0 to update_task_stack - x86/pgtable: Rename pti_set_user_pgd() to pti_set_user_pgtbl() - x86/pgtable/pae: Unshare kernel PMDs when PTI is enabled - x86/pgtable/32: Allocate 8k page-tables when PTI is enabled - x86/pgtable: Move pgdp kernel/user conversion functions to pgtable.h
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug was fixed in the package linux - 4.18.0-18.19 --- linux (4.18.0-18.19) cosmic; urgency=medium * linux: 4.18.0-18.19 -proposed tracker (LP: #1822796) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts - [Packaging] resync retpoline extraction * 3b080b2564287be91605bfd1d5ee985696e61d3c in ubuntu_btrfs_kernel_fixes triggers system hang on i386 (LP: #1812845) - btrfs: raid56: properly unmap parity page in finish_parity_scrub() * [SRU][B/C/OEM]IOMMU: add kernel dma protection (LP: #1820153) - ACPI / property: Allow multiple property compatible _DSD entries - PCI / ACPI: Identify untrusted PCI devices - iommu/vt-d: Force IOMMU on for platform opt in hint - iommu/vt-d: Do not enable ATS for untrusted devices - thunderbolt: Export IOMMU based DMA protection support to userspace - iommu/vt-d: Disable ATS support on untrusted devices * Huawei Hi1822 NIC has poor performance (LP: #1820187) - net-next: hinic: fix a problem in free_tx_poll() - hinic: remove ndo_poll_controller - net-next/hinic: add checksum offload and TSO support - hinic: Fix l4_type parameter in hinic_task_set_tunnel_l4 - net-next/hinic:replace multiply and division operators - net-next/hinic:add rx checksum offload for HiNIC - net-next/hinic:fix a bug in set mac address - net-next/hinic: fix a bug in rx data flow - net: hinic: fix null pointer dereference on pointer hwdev - hinic: optmize rx refill buffer mechanism - net-next/hinic:add shutdown callback - net-next/hinic: replace disable_irq_nosync/enable_irq * [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881) - Fonts: New Terminus large console font - [Config]: enable highdpi Terminus 16x32 font support * [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892) - s390/qeth: report 25Gbit link speed * Avoid potential memory corruption on HiSilicon SoCs (LP: #1819546) - iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI payloads * CVE-2017-5715 - x86/speculation: Apply IBPB more strictly to avoid cross-process data leak - x86/speculation: Propagate information about RSB filling mitigation to sysfs - x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant - x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support - x86/retpoline: Remove minimal retpoline support - x86/speculation: Update the TIF_SSBD comment - x86/speculation: Clean up spectre_v2_parse_cmdline() - x86/speculation: Remove unnecessary ret variable in cpu_show_common() - x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() - x86/speculation: Disable STIBP when enhanced IBRS is in use - x86/speculation: Rename SSBD update functions - x86/speculation: Reorganize speculation control MSRs update - sched/smt: Make sched_smt_present track topology - x86/Kconfig: Select SCHED_SMT if SMP enabled - sched/smt: Expose sched_smt_present static key - x86/speculation: Rework SMT state change - x86/l1tf: Show actual SMT state - x86/speculation: Reorder the spec_v2 code - x86/speculation: Mark string arrays const correctly - x86/speculataion: Mark command line parser data __initdata - x86/speculation: Unify conditional spectre v2 print functions - x86/speculation: Add command line control for indirect branch speculation - x86/speculation: Prepare for per task indirect branch speculation control - x86/process: Consolidate and simplify switch_to_xtra() code - x86/speculation: Avoid __switch_to_xtra() calls - x86/speculation: Prepare for conditional IBPB in switch_mm() - ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS - x86/speculation: Split out TIF update - x86/speculation: Prevent stale SPEC_CTRL msr content - x86/speculation: Prepare arch_smt_update() for PRCTL mode - x86/speculation: Add prctl() control for indirect branch speculation - x86/speculation: Enable prctl mode for spectre_v2_user - x86/speculation: Add seccomp Spectre v2 user space protection mode - x86/speculation: Provide IBPB always command line options - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb - x86/speculation: Change misspelled STIPB to STIBP - x86/speculation: Add support for STIBP always-on preferred mode - x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE * [Ubuntu] vfio-ap: add subsystem to matrix device to avoid libudev failures (LP: #1818854) - s390: vfio_ap: link the vfio_ap devices to the vfio_ap bus subsystem * Kernel regularly logs: Bluetooth: hci0: last event is not cmd complete (0x0f) (LP: #1748565) - Bluetooth: Fix unnecessary error message for HCI request completion * HiSilicon HNS ethernet broken in 4.15.0-45 (LP: #1818294) - net: hns: Fix WARNING when hns
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Tags removed: verification-needed-bionic verification-needed-cosmic ** Tags added: verification-done-bionic verification-done-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: linux (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Description changed: SRU justification: [Impact] + Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". + With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. + OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. ** Description changed: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. + Verified by QA's full test with a temporary build of bionic-oem kernel. + All test passed on one supported "DMA protection" system and one + non-supported "DMA protection" system. + [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: New Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: linux (Ubuntu Cosmic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: New Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: linux-oem (Ubuntu Cosmic) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: New Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: New Status in linux-oem source package in Cosmic: Invalid Bug description: SRU justification: [Impact] OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: linux-oem (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: New Status in linux-oem source package in Bionic: Fix Committed Status in linux source package in Cosmic: New Status in linux-oem source package in Cosmic: New Bug description: SRU justification: [Impact] OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed ** Changed in: linux (Ubuntu) Assignee: (unassigned) => AaronMa (mapengyu) ** Also affects: linux (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Also affects: linux-oem (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-oem (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Invalid Status in linux source package in Bionic: New Status in linux-oem source package in Bionic: New Status in linux source package in Cosmic: New Status in linux-oem source package in Cosmic: New Bug description: SRU justification: [Impact] OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1820153] Re: [SRU][B/C/OEM]IOMMU: add kernel dma protection
** Changed in: hwe-next Status: New => In Progress ** Changed in: hwe-next Importance: Undecided => Critical -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: In Progress Status in linux package in Ubuntu: Incomplete Bug description: SRU justification: [Impact] OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp