This patchset defines a denylist of devices in the vfio-pci module and adds
the current generation of Intel(R) QuickAssist devices to it as they are
not designed to run in an untrusted environment.
By default, if a device is in the denylist, the probe of vfio-pci fails.
If a user wants to use a device in the denylist, he needs to disable the
full denylist providing the option disable_denylist=1 at the load of
vfio-pci or specifying that parameter in a config file in /etc/modprobe.d.
This series also moves the device ids definitions present in the qat driver
to linux/pci_ids.h since they will be shared between the vfio-pci and the qat
drivers and replaces the custom ADF_SYSTEM_DEVICE macro with PCI_VDEVICE.
The series is applicable to Herbert's tree. Patches 1 to 3 apply also to
Alex's tree (next). Patches 4 and 5 are optional and can be applied at a later
stage.
Changes from v4:
- Patch #2: added Reviewed-by tag from Cornelia Huck
- Patch #5: added Suggested-by tag as this change was suggested internally
by Andy Shevchenko
- Patches 1-5: added Reviewed-by tag from Fiona Trahe
Changes from v3:
- Patch #1: included Acked-by tag, after ack from Bjorn Helgaas
- Patch #2: s/prevents/allows/ in module parameter description
Changes from v2:
- Renamed blocklist in denylist
- Patch #2: reworded module parameter description to clarify why a device is
in the denylist
- Patch #2: reworded warning that occurs when denylist is enabled and device
is present in that list
Changes from v1:
- Reworked commit messages:
Patches #1, #2 and #3: capitalized first character after column to comply to
subject line convention
Patch #3: Capitalized QAT acronym and added link and doc number for document
"Intel® QuickAssist Technology (Intel® QAT) Software for Linux"
Giovanni Cabiddu (5):
PCI: Add Intel QuickAssist device IDs
vfio/pci: Add device denylist
vfio/pci: Add QAT devices to denylist
crypto: qat - replace device ids defines
crypto: qat - use PCI_VDEVICE
drivers/crypto/qat/qat_c3xxx/adf_drv.c | 11 ++---
drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 11 ++---
drivers/crypto/qat/qat_c62x/adf_drv.c | 11 ++---
drivers/crypto/qat/qat_c62xvf/adf_drv.c | 11 ++---
.../crypto/qat/qat_common/adf_accel_devices.h | 6 ---
drivers/crypto/qat/qat_common/qat_hal.c | 7 +--
drivers/crypto/qat/qat_common/qat_uclo.c | 9 ++--
drivers/crypto/qat/qat_dh895xcc/adf_drv.c | 11 ++---
drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 11 ++---
drivers/vfio/pci/vfio_pci.c | 48 +++++++++++++++++++
include/linux/pci_ids.h | 6 +++
11 files changed, 87 insertions(+), 55 deletions(-)
--
2.26.2
Add device IDs for the following Intel QuickAssist devices: DH895XCC,
C3XXX and C62X.
The defines in this patch are going to be referenced in two independent
drivers, qat and vfio-pci.
Signed-off-by: Giovanni Cabiddu <[email protected]>
Acked-by: Bjorn Helgaas <[email protected]>
Reviewed-by: Fiona Trahe <[email protected]>
---
include/linux/pci_ids.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
index 0ad57693f392..f3166b1425ca 100644
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2659,6 +2659,8 @@
#define PCI_DEVICE_ID_INTEL_80332_1 0x0332
#define PCI_DEVICE_ID_INTEL_80333_0 0x0370
#define PCI_DEVICE_ID_INTEL_80333_1 0x0372
+#define PCI_DEVICE_ID_INTEL_QAT_DH895XCC 0x0435
+#define PCI_DEVICE_ID_INTEL_QAT_DH895XCC_VF 0x0443
#define PCI_DEVICE_ID_INTEL_82375 0x0482
#define PCI_DEVICE_ID_INTEL_82424 0x0483
#define PCI_DEVICE_ID_INTEL_82378 0x0484
@@ -2708,6 +2710,8 @@
#define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_4C_NHI 0x1577
#define PCI_DEVICE_ID_INTEL_ALPINE_RIDGE_4C_BRIDGE 0x1578
#define PCI_DEVICE_ID_INTEL_80960_RP 0x1960
+#define PCI_DEVICE_ID_INTEL_QAT_C3XXX 0x19e2
+#define PCI_DEVICE_ID_INTEL_QAT_C3XXX_VF 0x19e3
#define PCI_DEVICE_ID_INTEL_82840_HB 0x1a21
#define PCI_DEVICE_ID_INTEL_82845_HB 0x1a30
#define PCI_DEVICE_ID_INTEL_IOAT 0x1a38
@@ -2924,6 +2928,8 @@
#define PCI_DEVICE_ID_INTEL_IOAT_JSF7 0x3717
#define PCI_DEVICE_ID_INTEL_IOAT_JSF8 0x3718
#define PCI_DEVICE_ID_INTEL_IOAT_JSF9 0x3719
+#define PCI_DEVICE_ID_INTEL_QAT_C62X 0x37c8
+#define PCI_DEVICE_ID_INTEL_QAT_C62X_VF 0x37c9
#define PCI_DEVICE_ID_INTEL_ICH10_0 0x3a14
#define PCI_DEVICE_ID_INTEL_ICH10_1 0x3a16
#define PCI_DEVICE_ID_INTEL_ICH10_2 0x3a18
--
2.26.2
The current generation of Intel® QuickAssist Technology devices
are not designed to run in an untrusted environment because of the
following issues reported in the document "Intel® QuickAssist Technology
(Intel® QAT) Software for Linux" (document number 336211-014):
QATE-39220 - GEN - Intel® QAT API submissions with bad addresses that
trigger DMA to invalid or unmapped addresses can cause a
platform hang
QATE-7495 - GEN - An incorrectly formatted request to Intel® QAT can
hang the entire Intel® QAT Endpoint
The document is downloadable from https://01.org/intel-quickassist-technology
at the following link:
https://01.org/sites/default/files/downloads/336211-014-qatforlinux-releasenotes-hwv1.7_0.pdf
This patch adds the following QAT devices to the denylist: DH895XCC,
C3XXX and C62X.
Signed-off-by: Giovanni Cabiddu <[email protected]>
Reviewed-by: Fiona Trahe <[email protected]>
---
drivers/vfio/pci/vfio_pci.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 0101f41e7834..bcc22d19ee07 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -75,6 +75,21 @@ static inline bool vfio_vga_disabled(void)
static bool vfio_pci_dev_in_denylist(struct pci_dev *pdev)
{
+ switch (pdev->vendor) {
+ case PCI_VENDOR_ID_INTEL:
+ switch (pdev->device) {
+ case PCI_DEVICE_ID_INTEL_QAT_C3XXX:
+ case PCI_DEVICE_ID_INTEL_QAT_C3XXX_VF:
+ case PCI_DEVICE_ID_INTEL_QAT_C62X:
+ case PCI_DEVICE_ID_INTEL_QAT_C62X_VF:
+ case PCI_DEVICE_ID_INTEL_QAT_DH895XCC:
+ case PCI_DEVICE_ID_INTEL_QAT_DH895XCC_VF:
+ return true;
+ default:
+ return false;
+ }
+ }
+
return false;
}
--
2.26.2
Add denylist of devices that by default are not probed by vfio-pci.
Devices in this list may be susceptible to untrusted application, even
if the IOMMU is enabled. To be accessed via vfio-pci, the user has to
explicitly disable the denylist.
The denylist can be disabled via the module parameter disable_denylist.
Signed-off-by: Giovanni Cabiddu <[email protected]>
Reviewed-by: Cornelia Huck <[email protected]>
Reviewed-by: Fiona Trahe <[email protected]>
---
drivers/vfio/pci/vfio_pci.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 7c0779018b1b..0101f41e7834 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -60,6 +60,10 @@ module_param(enable_sriov, bool, 0644);
MODULE_PARM_DESC(enable_sriov, "Enable support for SR-IOV configuration. Enabling SR-IOV on a PF typically requires support of the userspace PF driver, enabling VFs without such support may result in non-functional VFs or PF.");
#endif
+static bool disable_denylist;
+module_param(disable_denylist, bool, 0444);
+MODULE_PARM_DESC(disable_denylist, "Disable use of device denylist. Disabling the denylist allows binding to devices with known errata that may lead to exploitable stability or security issues when accessed by untrusted users.");
+
static inline bool vfio_vga_disabled(void)
{
#ifdef CONFIG_VFIO_PCI_VGA
@@ -69,6 +73,29 @@ static inline bool vfio_vga_disabled(void)
#endif
}
+static bool vfio_pci_dev_in_denylist(struct pci_dev *pdev)
+{
+ return false;
+}
+
+static bool vfio_pci_is_denylisted(struct pci_dev *pdev)
+{
+ if (!vfio_pci_dev_in_denylist(pdev))
+ return false;
+
+ if (disable_denylist) {
+ pci_warn(pdev,
+ "device denylist disabled - allowing device %04x:%04x.\n",
+ pdev->vendor, pdev->device);
+ return false;
+ }
+
+ pci_warn(pdev, "%04x:%04x exists in vfio-pci device denylist, driver probing disallowed.\n",
+ pdev->vendor, pdev->device);
+
+ return true;
+}
+
/*
* Our VGA arbiter participation is limited since we don't know anything
* about the device itself. However, if the device is the only VGA device
@@ -1847,6 +1874,9 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
struct iommu_group *group;
int ret;
+ if (vfio_pci_is_denylisted(pdev))
+ return -EINVAL;
+
if (pdev->hdr_type != PCI_HEADER_TYPE_NORMAL)
return -EINVAL;
@@ -2336,6 +2366,9 @@ static int __init vfio_pci_init(void)
vfio_pci_fill_ids();
+ if (disable_denylist)
+ pr_warn("device denylist disabled.\n");
+
return 0;
out_driver:
--
2.26.2
On Fri, Jul 24, 2020 at 1:59 PM Giovanni Cabiddu
<[email protected]> wrote:
>
> This patchset defines a denylist of devices in the vfio-pci module and adds
> the current generation of Intel(R) QuickAssist devices to it as they are
> not designed to run in an untrusted environment.
>
> By default, if a device is in the denylist, the probe of vfio-pci fails.
> If a user wants to use a device in the denylist, he needs to disable the
> full denylist providing the option disable_denylist=1 at the load of
> vfio-pci or specifying that parameter in a config file in /etc/modprobe.d.
>
> This series also moves the device ids definitions present in the qat driver
> to linux/pci_ids.h since they will be shared between the vfio-pci and the qat
> drivers and replaces the custom ADF_SYSTEM_DEVICE macro with PCI_VDEVICE.
>
> The series is applicable to Herbert's tree. Patches 1 to 3 apply also to
> Alex's tree (next). Patches 4 and 5 are optional and can be applied at a later
> stage.
Thanks!
FWIW,
Reviewed-by: Andy Shevchenko <[email protected]>
> Changes from v4:
> - Patch #2: added Reviewed-by tag from Cornelia Huck
> - Patch #5: added Suggested-by tag as this change was suggested internally
> by Andy Shevchenko
> - Patches 1-5: added Reviewed-by tag from Fiona Trahe
>
> Changes from v3:
> - Patch #1: included Acked-by tag, after ack from Bjorn Helgaas
> - Patch #2: s/prevents/allows/ in module parameter description
>
> Changes from v2:
> - Renamed blocklist in denylist
> - Patch #2: reworded module parameter description to clarify why a device is
> in the denylist
> - Patch #2: reworded warning that occurs when denylist is enabled and device
> is present in that list
>
> Changes from v1:
> - Reworked commit messages:
> Patches #1, #2 and #3: capitalized first character after column to comply to
> subject line convention
> Patch #3: Capitalized QAT acronym and added link and doc number for document
> "Intel® QuickAssist Technology (Intel® QAT) Software for Linux"
>
>
> Giovanni Cabiddu (5):
> PCI: Add Intel QuickAssist device IDs
> vfio/pci: Add device denylist
> vfio/pci: Add QAT devices to denylist
> crypto: qat - replace device ids defines
> crypto: qat - use PCI_VDEVICE
>
> drivers/crypto/qat/qat_c3xxx/adf_drv.c | 11 ++---
> drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 11 ++---
> drivers/crypto/qat/qat_c62x/adf_drv.c | 11 ++---
> drivers/crypto/qat/qat_c62xvf/adf_drv.c | 11 ++---
> .../crypto/qat/qat_common/adf_accel_devices.h | 6 ---
> drivers/crypto/qat/qat_common/qat_hal.c | 7 +--
> drivers/crypto/qat/qat_common/qat_uclo.c | 9 ++--
> drivers/crypto/qat/qat_dh895xcc/adf_drv.c | 11 ++---
> drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 11 ++---
> drivers/vfio/pci/vfio_pci.c | 48 +++++++++++++++++++
> include/linux/pci_ids.h | 6 +++
> 11 files changed, 87 insertions(+), 55 deletions(-)
>
> --
> 2.26.2
>
--
With Best Regards,
Andy Shevchenko