[SRU][B/C/OEM]IOMMU: add kernel dma protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| HWE Next |
Critical
|
AaronMa | ||
| linux (Ubuntu) |
Undecided
|
AaronMa | ||
| Bionic |
Undecided
|
Unassigned | ||
| Cosmic |
Undecided
|
Unassigned | ||
| linux-oem (Ubuntu) |
Undecided
|
Unassigned | ||
| Bionic |
Undecided
|
Unassigned | ||
| Cosmic |
Undecided
|
Unassigned |
Bug Description
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt device.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
Verified by QA's full test with a temporary build of bionic-oem kernel.
All test passed on one supported "DMA protection" system and one
non-supported "DMA protection" system.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.
tags: | added: originate-from-1807802 sutton |
Changed in hwe-next: | |
assignee: | nobody → AaronMa (mapengyu) |
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
Changed in hwe-next: | |
status: | New → In Progress |
importance: | Undecided → Critical |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
assignee: | nobody → AaronMa (mapengyu) |
status: | Confirmed → Invalid |
Changed in linux-oem (Ubuntu): | |
status: | New → Invalid |
Changed in linux-oem (Ubuntu Bionic): | |
status: | New → Fix Committed |
Changed in linux-oem (Ubuntu Cosmic): | |
status: | New → Invalid |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Fix Committed |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-cosmic |
tags: | added: verification-needed-bionic |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: |
added: verification-done-bionic verification-done-cosmic removed: verification-needed-bionic verification-needed-cosmic |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package linux - 4.18.0-18.19
---------------
linux (4.18.0-18.19) cosmic; urgency=medium
* linux: 4.18.0-18.19 -proposed tracker (LP: #1822796)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
- [Packaging] resync retpoline extraction
* 3b080b2564287be
triggers system hang on i386 (LP: #1812845)
- btrfs: raid56: properly unmap parity page in finish_
* [SRU][B/
- ACPI / property: Allow multiple property compatible _DSD entries
- PCI / ACPI: Identify untrusted PCI devices
- iommu/vt-d: Force IOMMU on for platform opt in hint
- iommu/vt-d: Do not enable ATS for untrusted devices
- thunderbolt: Export IOMMU based DMA protection support to userspace
- iommu/vt-d: Disable ATS support on untrusted devices
* Huawei Hi1822 NIC has poor performance (LP: #1820187)
- net-next: hinic: fix a problem in free_tx_poll()
- hinic: remove ndo_poll_controller
- net-next/hinic: add checksum offload and TSO support
- hinic: Fix l4_type parameter in hinic_task_
- net-next/
- net-next/hinic:add rx checksum offload for HiNIC
- net-next/hinic:fix a bug in set mac address
- net-next/hinic: fix a bug in rx data flow
- net: hinic: fix null pointer dereference on pointer hwdev
- hinic: optmize rx refill buffer mechanism
- net-next/hinic:add shutdown callback
- net-next/hinic: replace disable_
* [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881)
- Fonts: New Terminus large console font
- [Config]: enable highdpi Terminus 16x32 font support
* [19.04 FEAT] qeth: Enhanced link speed - kernel part (LP: #1814892)
- s390/qeth: report 25Gbit link speed
* Avoid potential memory corruption on HiSilicon SoCs (LP: #1819546)
- iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI payloads
* CVE-2017-5715
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
- x86/speculation: Propagate information about RSB filling mitigation to sysfs
- x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC
variant
- x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
- x86/retpoline: Remove minimal retpoline support
- x86/speculation: Update the TIF_SSBD comment
- x86/speculation: Clean up spectre_
- x86/speculation: Remove unnecessary ret variable in cpu_show_common()
- x86/speculation: Move STIPB/IBPB string conditionals out of
cpu_
- x86/speculation: Disable STIBP when enhanced IBRS is in use
- x86/speculation: Rename SSBD update functions
- x86/speculation: Reorganize speculation control MSRs update
- sched/smt: Make sched_smt_present track topology
- x86/Kconfig: Select SCHED_SMT if SMP enabled
- sched/smt: Expose sched_smt_present static key
- x86/speculation: Rework SMT state change
- x86/l1tf: Show actual SMT state
- x86/speculation: R...
Changed in linux (Ubuntu Cosmic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux - 4.15.0-48.51
---------------
linux (4.15.0-48.51) bionic; urgency=medium
* linux: 4.15.0-48.51 -proposed tracker (LP: #1822820)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
- [Packaging] resync retpoline extraction
* 3b080b2564287be
triggers system hang on i386 (LP: #1812845)
- btrfs: raid56: properly unmap parity page in finish_
* [P9][LTCTest]
(LP: #1719545)
- cpupower : Fix header name to read idle state name
* [amdgpu] screen corruption when using touchpad (LP: #1818617)
- drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3)
- drm/amdgpu: Free VGA stolen memory as soon as possible.
* [SRU][B/
- ACPICA: AML parser: attempt to continue loading table after error
- ACPI / property: Allow multiple property compatible _DSD entries
- PCI / ACPI: Identify untrusted PCI devices
- iommu/vt-d: Force IOMMU on for platform opt in hint
- iommu/vt-d: Do not enable ATS for untrusted devices
- thunderbolt: Export IOMMU based DMA protection support to userspace
- iommu/vt-d: Disable ATS support on untrusted devices
* Add basic support to NVLink2 passthrough (LP: #1819989)
- powerpc/
enabled
- powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_
- powerpc/powernv: Export opal_check_token symbol
- powerpc/powernv: Make possible for user to force a full ipl cec reboot
- powerpc/
- powerpc/powernv: Move npu struct from pnv_phb to pci_controller
- powerpc/
- powerpc/
- powerpc/
- powerpc/pseries: Remove IOMMU API support for non-LPAR systems
- powerpc/
- powerpc/
* Huawei Hi1822 NIC has poor performance (LP: #1820187)
- net-next: hinic: fix a problem in free_tx_poll()
- hinic: remove ndo_poll_controller
- net-next/hinic: add checksum offload and TSO support
- hinic: Fix l4_type parameter in hinic_task_
- net-next/
- net-next/hinic:add rx checksum offload for HiNIC
- net-next/hinic:fix a bug in set mac address
- net-next/hinic: fix a bug in rx data flow
- net: hinic: fix null pointer dereference on pointer hwdev
- hinic: optmize rx refill buffer mechanism
- net-next/hinic:add shutdown callback
- net-next/hinic: replace disable_
* [CONFIG] please enable highdpi font FONT_TER16x32 (LP: #1819881)
- Fonts: New Terminus large console font
- [Config]: enable highdpi Terminus 16x32 font support
* [19.04 FEAT] qeth: Enhanced link...
Changed in linux (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux-oem - 4.15.0-1036.41
---------------
linux-oem (4.15.0-1036.41) bionic; urgency=medium
* linux-oem: 4.15.0-1036.41 -proposed tracker (LP: #1822803)
* Need to add Intel CML related pci-id's (LP: #1821863)
- drm/i915/cml: Introduce Comet Lake PCH
- drm/i915/cml: Add CML PCI IDS
* [SRU] [B/OEM] Fix ACPI bug that causes boot failure (LP: #1819921)
- SAUCE: ACPI / bus: Add some Lenovo laptops in list of acpi table term list
* Miscellaneous Ubuntu changes
- [Config] update configs following rebase to 4.15.0-48.51
[ Ubuntu: 4.15.0-48.51 ]
* linux: 4.15.0-48.51 -proposed tracker (LP: #1822820)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
- [Packaging] resync retpoline extraction
* 3b080b2564287be
triggers system hang on i386 (LP: #1812845)
- btrfs: raid56: properly unmap parity page in finish_
* [P9][LTCTest]
(LP: #1719545)
- cpupower : Fix header name to read idle state name
* [amdgpu] screen corruption when using touchpad (LP: #1818617)
- drm/amdgpu/gmc: steal the appropriate amount of vram for fw hand-over (v3)
- drm/amdgpu: Free VGA stolen memory as soon as possible.
* [SRU][B/
- ACPICA: AML parser: attempt to continue loading table after error
- ACPI / property: Allow multiple property compatible _DSD entries
- PCI / ACPI: Identify untrusted PCI devices
- iommu/vt-d: Force IOMMU on for platform opt in hint
- iommu/vt-d: Do not enable ATS for untrusted devices
- thunderbolt: Export IOMMU based DMA protection support to userspace
- iommu/vt-d: Disable ATS support on untrusted devices
* Add basic support to NVLink2 passthrough (LP: #1819989)
- powerpc/
enabled
- powerpc/powernv: call OPAL_QUIESCE before OPAL_SIGNAL_
- powerpc/powernv: Export opal_check_token symbol
- powerpc/powernv: Make possible for user to force a full ipl cec reboot
- powerpc/
- powerpc/powernv: Move npu struct from pnv_phb to pci_controller
- powerpc/
- powerpc/
- powerpc/
- powerpc/pseries: Remove IOMMU API support for non-LPAR systems
- powerpc/
- powerpc/
* Huawei Hi1822 NIC has poor performance (LP: #1820187)
- net-next: hinic: fix a problem in free_tx_poll()
- hinic: remove ndo_poll_controller
- net-next/hinic: add checksum offload and TSO support
- hinic: Fix l4_type parameter in hinic_task_
- net-next/
- net-next/hinic:add rx checksum offload for HiNIC
- net-next/hinic:fix a bug in set...
Changed in linux-oem (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Changed in linux-oem (Ubuntu Cosmic): | |
status: | Invalid → Fix Released |
Changed in linux-oem (Ubuntu): | |
status: | Invalid → Fix Released |
Changed in hwe-next: | |
status: | In Progress → Fix Released |
Steve Langasek (vorlon) wrote : Update Released | #9 |
The verification of the Stable Release Update for linux-azure has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1820153
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.