Rename the field to make it more clear, that the device can execute DMA
attacks on the system, and thus the system may need protection from
such attacks from this device.
No functional change intended.
Signed-off-by: Rajat Jain <[email protected]>
---
v4: Initial version, created based on comments on other patch
drivers/iommu/dma-iommu.c | 6 +++---
drivers/iommu/intel/iommu.c | 2 +-
drivers/iommu/iommu.c | 2 +-
drivers/pci/ats.c | 2 +-
drivers/pci/pci.c | 2 +-
drivers/pci/probe.c | 8 ++++----
drivers/pci/quirks.c | 2 +-
include/linux/pci.h | 5 +++--
8 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index d85d54f2b549..ce10bfa86cf7 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -497,14 +497,14 @@ static int iova_reserve_iommu_regions(struct device *dev,
return ret;
}
-static bool dev_is_untrusted(struct device *dev)
+static bool dev_poses_dma_risk(struct device *dev)
{
- return dev_is_pci(dev) && to_pci_dev(dev)->untrusted;
+ return dev_is_pci(dev) && to_pci_dev(dev)->poses_dma_risk;
}
static bool dev_use_swiotlb(struct device *dev)
{
- return IS_ENABLED(CONFIG_SWIOTLB) && dev_is_untrusted(dev);
+ return IS_ENABLED(CONFIG_SWIOTLB) && dev_poses_dma_risk(dev);
}
/**
diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 92fea3fbbb11..2e963a153c71 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -5570,7 +5570,7 @@ intel_iommu_enable_nesting(struct iommu_domain *domain)
*/
static bool risky_device(struct pci_dev *pdev)
{
- if (pdev->untrusted) {
+ if (pdev->poses_dma_risk) {
pci_info(pdev,
"Skipping IOMMU quirk for dev [%04X:%04X] on untrusted PCI link\n",
pdev->vendor, pdev->device);
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 8b86406b7162..81433aab0245 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1522,7 +1522,7 @@ static int iommu_get_def_domain_type(struct device *dev)
{
const struct iommu_ops *ops = dev->bus->iommu_ops;
- if (dev_is_pci(dev) && to_pci_dev(dev)->untrusted)
+ if (dev_is_pci(dev) && to_pci_dev(dev)->poses_dma_risk)
return IOMMU_DOMAIN_DMA;
if (ops->def_domain_type)
diff --git a/drivers/pci/ats.c b/drivers/pci/ats.c
index c967ad6e2626..6390fbeaaa02 100644
--- a/drivers/pci/ats.c
+++ b/drivers/pci/ats.c
@@ -42,7 +42,7 @@ bool pci_ats_supported(struct pci_dev *dev)
if (!dev->ats_cap)
return false;
- return (dev->untrusted == 0);
+ return (dev->poses_dma_risk == 0);
}
EXPORT_SYMBOL_GPL(pci_ats_supported);
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 9ecce435fb3f..526d26f2011b 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -958,7 +958,7 @@ static void pci_std_enable_acs(struct pci_dev *dev)
ctrl |= (cap & PCI_ACS_UF);
/* Enable Translation Blocking for external devices and noats */
- if (pci_ats_disabled() || dev->external_facing || dev->untrusted)
+ if (pci_ats_disabled() || dev->external_facing || dev->poses_dma_risk)
ctrl |= (cap & PCI_ACS_TB);
pci_write_config_word(dev, pos + PCI_ACS_CTRL, ctrl);
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 17a969942d37..7ae1ed312c47 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1587,7 +1587,7 @@ static void set_pcie_thunderbolt(struct pci_dev *dev)
dev->is_thunderbolt = 1;
}
-static void set_pcie_untrusted(struct pci_dev *dev)
+static void pci_check_if_dev_poses_dma_risk(struct pci_dev *dev)
{
struct pci_dev *parent;
@@ -1596,8 +1596,8 @@ static void set_pcie_untrusted(struct pci_dev *dev)
* untrusted as well.
*/
parent = pci_upstream_bridge(dev);
- if (parent && (parent->untrusted || parent->external_facing))
- dev->untrusted = true;
+ if (parent && (parent->poses_dma_risk || parent->external_facing))
+ dev->poses_dma_risk = true;
}
static void pci_set_removable(struct pci_dev *dev)
@@ -1862,7 +1862,7 @@ int pci_setup_device(struct pci_dev *dev)
/* Need to have dev->cfg_size ready */
set_pcie_thunderbolt(dev);
- set_pcie_untrusted(dev);
+ pci_check_if_dev_poses_dma_risk(dev);
/* "Unknown power state" */
dev->current_state = PCI_UNKNOWN;
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index d2dd6a6cda60..5c601c6c30bf 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -5122,7 +5122,7 @@ static int pci_quirk_enable_intel_spt_pch_acs(struct pci_dev *dev)
ctrl |= (cap & PCI_ACS_CR);
ctrl |= (cap & PCI_ACS_UF);
- if (pci_ats_disabled() || dev->external_facing || dev->untrusted)
+ if (pci_ats_disabled() || dev->external_facing || dev->poses_dma_risk)
ctrl |= (cap & PCI_ACS_TB);
pci_write_config_dword(dev, pos + INTEL_SPT_ACS_CTRL, ctrl);
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 678fecdf6b81..75547fd5587c 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -444,13 +444,14 @@ struct pci_dev {
unsigned int shpc_managed:1; /* SHPC owned by shpchp */
unsigned int is_thunderbolt:1; /* Thunderbolt controller */
/*
- * Devices marked being untrusted are the ones that can potentially
+ * Devices marked with "poses_dma_risk" can potentially
* execute DMA attacks and similar. They are typically connected
* through external ports such as Thunderbolt but not limited to
* that. When an IOMMU is enabled they should be getting full
* mappings to make sure they cannot access arbitrary memory.
*/
- unsigned int untrusted:1;
+ unsigned int poses_dma_risk:1;
+
/*
* Info from the platform, e.g., ACPI or device tree, may mark a
* device as "external-facing". An external-facing device is
--
2.35.1.894.gb6a874cedc-goog
The "DmaProperty" is supported and documented by Microsoft here:
https://docs.microsoft.com/en-us/windows-hardware/drivers/pci/dsd-for-pcie-root-ports
They use this property for DMA protection:
https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt
Support the "DmaProperty" with the same semantics. This is useful for
internal PCI devices that do not hang off a PCIe rootport, but offer
an attack surface for DMA attacks (e.g. internal network devices).
Signed-off-by: Rajat Jain <[email protected]>
---
v4: * Add the GUID.
* Use the (now) renamed property - pci_dev->poses_dma_risk)
* Update the comment and commitlog.
v3: * Use Microsoft's documented property "DmaProperty"
* Resctrict to ACPI only
drivers/acpi/property.c | 3 +++
drivers/pci/pci-acpi.c | 16 ++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index d0986bda2964..20603cacc28d 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -48,6 +48,9 @@ static const guid_t prp_guids[] = {
/* Storage device needs D3 GUID: 5025030f-842f-4ab4-a561-99a5189762d0 */
GUID_INIT(0x5025030f, 0x842f, 0x4ab4,
0xa5, 0x61, 0x99, 0xa5, 0x18, 0x97, 0x62, 0xd0),
+ /* DmaProperty for PCI devices GUID: 70d24161-6dd5-4c9e-8070-705531292865 */
+ GUID_INIT(0x70d24161, 0x6dd5, 0x4c9e,
+ 0x80, 0x70, 0x70, 0x55, 0x31, 0x29, 0x28, 0x65),
};
/* ACPI _DSD data subnodes GUID: dbb8e3e6-5886-4ba6-8795-1319f52a966b */
diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c
index 1f15ab7eabf8..5360f1af2ed3 100644
--- a/drivers/pci/pci-acpi.c
+++ b/drivers/pci/pci-acpi.c
@@ -1350,12 +1350,28 @@ static void pci_acpi_set_external_facing(struct pci_dev *dev)
dev->external_facing = 1;
}
+static void pci_acpi_check_for_dma_protection(struct pci_dev *dev)
+{
+ u8 val;
+
+ /*
+ * Property also used by Microsoft Windows for same purpose,
+ * (to implement DMA protection from a device, using the IOMMU).
+ */
+ if (device_property_read_u8(&dev->dev, "DmaProperty", &val))
+ return;
+
+ if (val)
+ dev->poses_dma_risk = 1;
+}
+
void pci_acpi_setup(struct device *dev, struct acpi_device *adev)
{
struct pci_dev *pci_dev = to_pci_dev(dev);
pci_acpi_optimize_delay(pci_dev, adev->handle);
pci_acpi_set_external_facing(pci_dev);
+ pci_acpi_check_for_dma_protection(pci_dev);
pci_acpi_add_edr_notifier(pci_dev);
pci_acpi_add_pm_notifier(adev, pci_dev);
--
2.35.1.894.gb6a874cedc-goog
On Tue, Mar 22, 2022 at 10:02 AM Christoph Hellwig <[email protected]> wrote:
>
> On Sat, Mar 19, 2022 at 11:29:05PM -0700, Rajat Jain wrote:
> > Rename the field to make it more clear, that the device can execute DMA
> > attacks on the system, and thus the system may need protection from
> > such attacks from this device.
> >
> > No functional change intended.
> >
> > Signed-off-by: Rajat Jain <[email protected]>
> > ---
> > v4: Initial version, created based on comments on other patch
>
> What a horrible name. Why not untrusted_dma which captures the
> intent much better?
FWIW, I like this one much better too.
On Sat, Mar 19, 2022 at 11:29:05PM -0700, Rajat Jain wrote:
> Rename the field to make it more clear, that the device can execute DMA
> attacks on the system, and thus the system may need protection from
> such attacks from this device.
>
> No functional change intended.
>
> Signed-off-by: Rajat Jain <[email protected]>
> ---
> v4: Initial version, created based on comments on other patch
What a horrible name. Why not untrusted_dma which captures the
intent much better?
On Tue, Mar 22, 2022 at 01:09:55PM -0700, Rajat Jain wrote:
> On Tue, Mar 22, 2022 at 4:12 AM Rafael J. Wysocki <[email protected]> wrote:
> >
> > On Tue, Mar 22, 2022 at 10:02 AM Christoph Hellwig <[email protected]> wrote:
> > >
> > > On Sat, Mar 19, 2022 at 11:29:05PM -0700, Rajat Jain wrote:
> > > > Rename the field to make it more clear, that the device can execute DMA
> > > > attacks on the system, and thus the system may need protection from
> > > > such attacks from this device.
> > > >
> > > > No functional change intended.
> > > >
> > > > Signed-off-by: Rajat Jain <[email protected]>
> > > > ---
> > > > v4: Initial version, created based on comments on other patch
> > >
> > > What a horrible name. Why not untrusted_dma which captures the
> > > intent much better?
> >
> > FWIW, I like this one much better too.
>
> Sure, no problems. I can change the name to "untrusted_dma".
>
> Mika, can I carry forward your "Reviewed-by" tag with this name change too?
Sure :)
On Tue, Mar 22, 2022 at 4:12 AM Rafael J. Wysocki <[email protected]> wrote:
>
> On Tue, Mar 22, 2022 at 10:02 AM Christoph Hellwig <[email protected]> wrote:
> >
> > On Sat, Mar 19, 2022 at 11:29:05PM -0700, Rajat Jain wrote:
> > > Rename the field to make it more clear, that the device can execute DMA
> > > attacks on the system, and thus the system may need protection from
> > > such attacks from this device.
> > >
> > > No functional change intended.
> > >
> > > Signed-off-by: Rajat Jain <[email protected]>
> > > ---
> > > v4: Initial version, created based on comments on other patch
> >
> > What a horrible name. Why not untrusted_dma which captures the
> > intent much better?
>
> FWIW, I like this one much better too.
Sure, no problems. I can change the name to "untrusted_dma".
Mika, can I carry forward your "Reviewed-by" tag with this name change too?
Thanks & Best Regards,
Rajat