[SRU][B/C/OEM]IOMMU: add kernel dma protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HWE Next |
Fix Released
|
Critical
|
AaronMa | ||
linux (Ubuntu) |
Invalid
|
Undecided
|
AaronMa | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
linux-oem (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt device.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
Verified by QA's full test with a temporary build of bionic-oem kernel.
All test passed on one supported "DMA protection" system and one
non-supported "DMA protection" system.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.
tags: | added: originate-from-1807802 sutton |
Changed in hwe-next: | |
assignee: | nobody → AaronMa (mapengyu) |
Changed in hwe-next: | |
status: | New → In Progress |
importance: | Undecided → Critical |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
assignee: | nobody → AaronMa (mapengyu) |
status: | Confirmed → Invalid |
Changed in linux-oem (Ubuntu): | |
status: | New → Invalid |
Changed in linux-oem (Ubuntu Bionic): | |
status: | New → Fix Committed |
Changed in linux-oem (Ubuntu Cosmic): | |
status: | New → Invalid |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Fix Committed |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
tags: |
added: verification-done-bionic verification-done-cosmic removed: verification-needed-bionic verification-needed-cosmic |
Changed in linux-oem (Ubuntu Cosmic): | |
status: | Invalid → Fix Released |
Changed in linux-oem (Ubuntu): | |
status: | Invalid → Fix Released |
Changed in hwe-next: | |
status: | In Progress → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1820153
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.