2019-03-15 04:54:31 |
AaronMa |
bug |
|
|
added bug |
2019-03-15 04:55:30 |
AaronMa |
bug |
|
|
added subscriber Canonical Hardware Enablement |
2019-03-15 04:55:33 |
AaronMa |
tags |
|
originate-from-1807802 sutton |
|
2019-03-15 04:55:59 |
AaronMa |
hwe-next: assignee |
|
AaronMa (mapengyu) |
|
2019-03-15 05:00:08 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
2019-03-15 05:21:39 |
AaronMa |
hwe-next: status |
New |
In Progress |
|
2019-03-15 05:21:44 |
AaronMa |
hwe-next: importance |
Undecided |
Critical |
|
2019-03-20 08:49:31 |
Anthony Wong |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
2019-03-20 08:49:42 |
Anthony Wong |
linux (Ubuntu): assignee |
|
AaronMa (mapengyu) |
|
2019-03-20 08:50:17 |
Anthony Wong |
nominated for series |
|
Ubuntu Cosmic |
|
2019-03-20 08:50:17 |
Anthony Wong |
bug task added |
|
linux (Ubuntu Cosmic) |
|
2019-03-20 08:50:17 |
Anthony Wong |
nominated for series |
|
Ubuntu Bionic |
|
2019-03-20 08:50:17 |
Anthony Wong |
bug task added |
|
linux (Ubuntu Bionic) |
|
2019-03-20 08:50:32 |
Anthony Wong |
linux (Ubuntu): status |
Confirmed |
Invalid |
|
2019-03-20 08:50:42 |
Anthony Wong |
bug task added |
|
linux-oem (Ubuntu) |
|
2019-03-20 08:51:01 |
Anthony Wong |
linux-oem (Ubuntu): status |
New |
Invalid |
|
2019-03-28 06:15:17 |
Khaled El Mously |
linux-oem (Ubuntu Bionic): status |
New |
Fix Committed |
|
2019-03-28 13:52:51 |
Stefan Bader |
linux-oem (Ubuntu Cosmic): status |
New |
Invalid |
|
2019-03-28 15:29:21 |
Khaled El Mously |
linux (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2019-03-28 17:06:33 |
AaronMa |
description |
SRU justification:
[Impact]
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good. |
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt device.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good. |
|
2019-03-28 17:13:04 |
AaronMa |
description |
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt device.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good. |
SRU justification:
[Impact]
Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)".
With this setting systems will be vulnerable to a DMA attack by a thunderbolt device.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
Verified by QA's full test with a temporary build of bionic-oem kernel.
All test passed on one supported "DMA protection" system and one
non-supported "DMA protection" system.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good. |
|
2019-04-01 03:59:16 |
Khaled El Mously |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
2019-04-04 18:01:38 |
Ubuntu Kernel Bot |
tags |
originate-from-1807802 sutton |
originate-from-1807802 sutton verification-needed-cosmic |
|
2019-04-04 18:04:31 |
Ubuntu Kernel Bot |
tags |
originate-from-1807802 sutton verification-needed-cosmic |
originate-from-1807802 sutton verification-needed-bionic verification-needed-cosmic |
|
2019-04-08 08:58:12 |
AaronMa |
tags |
originate-from-1807802 sutton verification-needed-bionic verification-needed-cosmic |
originate-from-1807802 sutton verification-done-bionic verification-done-cosmic |
|
2019-04-23 21:35:02 |
Launchpad Janitor |
linux (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-04-23 21:35:02 |
Launchpad Janitor |
cve linked |
|
2017-5715 |
|
2019-04-24 07:39:21 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-04-24 07:39:21 |
Launchpad Janitor |
cve linked |
|
2017-5754 |
|
2019-04-24 07:39:21 |
Launchpad Janitor |
cve linked |
|
2018-3639 |
|
2019-04-24 08:01:51 |
Launchpad Janitor |
linux-oem (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-04-29 10:10:43 |
Launchpad Janitor |
linux-oem (Ubuntu Cosmic): status |
Invalid |
Fix Released |
|
2019-04-29 10:11:12 |
Launchpad Janitor |
linux-oem (Ubuntu): status |
Invalid |
Fix Released |
|
2019-05-08 13:58:26 |
Anthony Wong |
hwe-next: status |
In Progress |
Fix Released |
|