Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5222398imu;
        Tue, 13 Nov 2018 03:14:20 -0800 (PST)
X-Google-Smtp-Source: AJdET5ei/0U49CXvb6mbc651cNSDTY0vk7qmdRjMV0MqluLdYpyKjXgBgN+igLC1q86D5zPJva8I
X-Received: by 2002:a17:902:107:: with SMTP id 7-v6mr4717512plb.267.1542107660666;
        Tue, 13 Nov 2018 03:14:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542107660; cv=none;
        d=google.com; s=arc-20160816;
        b=u5rVQxM29hIJbd9OXUWnqOlXc0SbjhfSwoeBzztSjYG0h+r24kH0o686FZ3ARA2XSd
         +PYkeJdJujuAImbQJHqzefXQbM5PPF9A1vPuQb5Vy0NEvCvlaApgqCq4z1rOXX/WbBMy
         VzZHa2KjJRom+uRgVjlVQ++DnPHoVVF3im7GLFhhqKKHw823m1syyiHvtQvMLRDuy0z+
         vnlUn77AkjnSi18SEvEajen0ysTC23lcfyrrKj5PfcJou6NN9jiFlcghPTYFllTk5DHV
         7I54Axe9wKztQ5df5x6OO5Av12TktKNYXsiOGWX+SEw1v5b/Rfolc1bGegOT3GJ/cb+u
         6msg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:organization:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=Uh8hegQzvMPVZamnOSKfKXmHnK3s79Y0b01DTVOfuMs=;
        b=lcKMtxvEvtQZaCSSCFR8XtxxRsXlIVjpP6O37NhcFQyufa3n4QZqRvG/JIAW+WfpX2
         HrQ1I4MhVKEuy3hBocF+coeLvrvmpUdrKFAIBWwsbYUop6gUNxfx1x0TyORLpZg3dOt6
         XkEAFHlGpuDnZ+0hOK9uSLoTZHEnYmMxFBAUV/9y1ySfacDuO1in57m5Fqs9bnck/ZKj
         pmprLEWNHFe/aicm2UWTSL1WN1xANFxPLbYIYIfyE2IlTicPJHpNN4G9yWZsAbcPZ2DQ
         9yhzElpjZv8bPwatjN029CjOqBGLncMFY6vpFnnAqK7gy3egSxfvEiwwUK+BgAo7zBp3
         2dRA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j135-v6si23254854pfd.243.2018.11.13.03.14.06;
        Tue, 13 Nov 2018 03:14:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732430AbeKMVLV (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Tue, 13 Nov 2018 16:11:21 -0500
Received: from mga05.intel.com ([192.55.52.43]:33112 "EHLO mga05.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726581AbeKMVLV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Nov 2018 16:11:21 -0500
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2018 03:13:43 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,498,1534834800"; 
   d="scan'208";a="99851293"
Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.157])
  by orsmga003.jf.intel.com with SMTP; 13 Nov 2018 03:13:37 -0800
Received: by lahna (sSMTP sendmail emulation); Tue, 13 Nov 2018 13:13:36 +0200
Date:   Tue, 13 Nov 2018 13:13:36 +0200
From:   Mika Westerberg <mika.westerberg@linux.intel.com>
To:     Lukas Wunner <lukas@wunner.de>
Cc:     iommu@lists.linux-foundation.org, Joerg Roedel <joro@8bytes.org>,
        David Woodhouse <dwmw2@infradead.org>,
        Lu Baolu <baolu.lu@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Bjorn Helgaas <bhelgaas@google.com>,
        "Rafael J. Wysocki" <rjw@rjwysocki.net>,
        Jacob jun Pan <jacob.jun.pan@intel.com>,
        Andreas Noever <andreas.noever@gmail.com>,
        Michael Jamet <michael.jamet@intel.com>,
        Yehezkel Bernat <YehezkelShB@gmail.com>,
        Christian Kellner <ckellner@redhat.com>,
        Mario.Limonciello@dell.com,
        Anthony Wong <anthony.wong@canonical.com>,
        linux-acpi@vger.kernel.org, linux-pci@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/4] PCI / iommu / thunderbolt: IOMMU based DMA protection
Message-ID: <20181113111336.GS2500@lahna.fi.intel.com>
References: <20181112160628.86620-1-mika.westerberg@linux.intel.com>
 <20181112181214.xaahc5wni4vuwl6h@wunner.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181112181214.xaahc5wni4vuwl6h@wunner.de>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 12, 2018 at 07:12:14PM +0100, Lukas Wunner wrote:
> On Mon, Nov 12, 2018 at 07:06:24PM +0300, Mika Westerberg wrote:
> > Recent systems shipping with Windows 10 version 1803 or newer may be
> > utilizing IOMMU to prevent DMA attacks via Thunderbolt ports. This is
> > different from the previous security level based scheme because the
> > connected device cannot access system memory outside of the regions
> > allocated for it by the driver.
> > 
> > When enabled the BIOS makes sure no device can do DMA outside of RMRR
> > (Reserved Memory Region Record) regions. This means that during OS boot,
> > before it enables IOMMU, none of the connected devices can bypass DMA
> > protection for instance by overwriting the data structures used by the
> > IOMMU. The BIOS communicates support for this to the OS by setting a new
> > bit in ACPI DMAR table [1].
> > 
> > Because these systems utilize an IOMMU to block possible DMA attacks,
> > typically (but not always) the Thunderbolt security level is set to "none"
> > which means that all PCIe devices are immediately usable. This also means
> > that Linux needs to follow Windows 10 and enable IOMMU automatically when
> > running on such system otherwise connected devices can read/write system
> > memory pretty much without any restrictions.
> 
> What if the system is booted from a Thunderbolt-attached disk?
> Won't this suddenly break with these patches?

Like Yehezkel commented, it either is not supported or alternatively it
is (the BIOS/boot loader utilizes IOMMU as well), loads the OS image and
what is needed from the disk, disables BME (bus mastering enable) and
resets the IOMMU back to the default state before handing over to the OS.

> That would seem like a pretty significant regression.  What if the
> only GPU in the system is Thunderbolt-attached?  Is it possible to
> recognize such scenarios and automatically exempt affected devices
> from IOMMU blocking?

"IOMMU blocking" does not mean that the device cannot be used at all. It
actually means that the device is immediately usable and can do DMA as
the driver has programmed (using DMA-API) but it cannot access any
memory outside of those regions the driver has programmed.

The point of this exercise is to prevent so called drive-by DMA attacks
where you go to take a cup of coffee and during that time someone plugs
in a malicous device to Thunderbolt port of your laptop and reads all
your secrets.

When IOMMU is enabled the malicous device still is usable (assuming
there is driver for it) but it cannot go and read all the memory, just
the memory driver has programmed.

So in your GPU case it should just work assuming the GPU has a driver.