Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1082594ybt; Wed, 1 Jul 2020 18:25:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzniIHip9mFTU5X9IlepkBT4AR/RS3/jTn+hbtcwWU2Pw7xUe988rutGQBqn3jerV8Xu1It X-Received: by 2002:aa7:df08:: with SMTP id c8mr31689955edy.372.1593653116585; Wed, 01 Jul 2020 18:25:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593653116; cv=none; d=google.com; s=arc-20160816; b=HMjjySeFyPbG2XzENTc3jYSMrCIrRyzoVgfpNR2iZgt0rA1fUeqXQQkAdqvVRVLW+0 dBBKZoHN5CnpTdUZ2Jfyqmc9rxs8RN+FjXxacqwQS8Rsw0Bso1MYRV66lrFwAKoAHBg5 Ng0Yyy4aR8Wn/sNZFm5ktlKjy3JLi99J9bPTiXL7N8ujmzI26KZ7H/YrwvE2XfVZCDvr Iz49v02A/Hp18SJ+OWrlHu8FXLOo2RbUlGUkU9WQW6KkiKgdZkORms8gHr/bined0Qaq RJ9SaAzx+dOdzbNmUcrhgoMkhwQmvP5MGFC0MDmcgcloHZLogZac5n8DyBZQs7IGwnvv mh3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Ks4X/QCSlRr7aFLszh43AGgVl0irvdPYEZJUX4+lZRM=; b=K5fsMNy4ckywRvGR0jndsbDvVCqPsrMS5hdlYJroWz6mWKopoKnKYqT6IsdVyGY3Fw CRJ3mOc1to0apFcmFXJ8S5paiProrlFtfpvOQ4aF1dsq5d2iKEG1HemQdBxJeWdcH60K u9Ug2di/dtnZpUNlZ77AtVKy4Ka3mQVkNTku8IPHpl1qsE48Rgt/B5uNnYnCQJXKzW+T K0zMpeu3fiSLLuiqCeu+Ey9sFke3x3y/3I2FGYrGBSI2mvuFh5c643Qpf9dsO72VkKY2 q2pmj1SSgjeKI33ZFa0DmvwdEZ9kBj2G9ioWjKyan3kzLNqC3438fPz+/K4qdQGO496o N48A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iTLgrp5a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b24si5204978edy.271.2020.07.01.18.24.53; Wed, 01 Jul 2020 18:25:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iTLgrp5a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728476AbgGBBXr (ORCPT + 99 others); Wed, 1 Jul 2020 21:23:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:54190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728403AbgGBBXg (ORCPT ); Wed, 1 Jul 2020 21:23:36 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 69EC42085B; Thu, 2 Jul 2020 01:23:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593653015; bh=ibe6rDC+3EONaG/gxl39s6UPgR4hUHTl63PztKAWdqE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iTLgrp5aPN4Ilg53I+byGii9URIKuYqtXcHAEUGGU0D5FOyGIptL5Hamqi+4E90h4 Tj9GH8ao5v748d+sNoTik8Wa2ugVxIsVopTG71bb3YIeGszhgDa38CxCNi5Ox60rS0 IpRweK3Imc4/gdwD2AsxDJiNKm7DDdeFwm35C8m4= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rajat Jain , Ashok Raj , Mika Westerberg , Lu Baolu , Joerg Roedel , Sasha Levin , iommu@lists.linux-foundation.org Subject: [PATCH AUTOSEL 5.7 32/53] iommu/vt-d: Don't apply gfx quirks to untrusted devices Date: Wed, 1 Jul 2020 21:21:41 -0400 Message-Id: <20200702012202.2700645-32-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200702012202.2700645-1-sashal@kernel.org> References: <20200702012202.2700645-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rajat Jain [ Upstream commit 67e8a5b18d41af9298db5c17193f671f235cce01 ] Currently, an external malicious PCI device can masquerade the VID:PID of faulty gfx devices, and thus apply iommu quirks to effectively disable the IOMMU restrictions for itself. Thus we need to ensure that the device we are applying quirks to, is indeed an internal trusted device. Signed-off-by: Rajat Jain Reviewed-by: Ashok Raj Reviewed-by: Mika Westerberg Acked-by: Lu Baolu Link: https://lore.kernel.org/r/20200622231345.29722-4-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin --- drivers/iommu/intel-iommu.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index fde7aba49b746..a29ed14839c41 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -6200,6 +6200,23 @@ intel_iommu_domain_set_attr(struct iommu_domain *domain, return ret; } +/* + * Check that the device does not live on an external facing PCI port that is + * marked as untrusted. Such devices should not be able to apply quirks and + * thus not be able to bypass the IOMMU restrictions. + */ +static bool risky_device(struct pci_dev *pdev) +{ + if (pdev->untrusted) { + pci_info(pdev, + "Skipping IOMMU quirk for dev [%04X:%04X] on untrusted PCI link\n", + pdev->vendor, pdev->device); + pci_info(pdev, "Please check with your BIOS/Platform vendor about this\n"); + return true; + } + return false; +} + const struct iommu_ops intel_iommu_ops = { .capable = intel_iommu_capable, .domain_alloc = intel_iommu_domain_alloc, @@ -6229,6 +6246,9 @@ const struct iommu_ops intel_iommu_ops = { static void quirk_iommu_igfx(struct pci_dev *dev) { + if (risky_device(dev)) + return; + pci_info(dev, "Disabling IOMMU for graphics on this chipset\n"); dmar_map_gfx = 0; } @@ -6270,6 +6290,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x163D, quirk_iommu_igfx); static void quirk_iommu_rwbf(struct pci_dev *dev) { + if (risky_device(dev)) + return; + /* * Mobile 4 Series Chipset neglects to set RWBF capability, * but needs it. Same seems to hold for the desktop versions. @@ -6300,6 +6323,9 @@ static void quirk_calpella_no_shadow_gtt(struct pci_dev *dev) { unsigned short ggc; + if (risky_device(dev)) + return; + if (pci_read_config_word(dev, GGC, &ggc)) return; @@ -6333,6 +6359,12 @@ static void __init check_tylersburg_isoch(void) pdev = pci_get_device(PCI_VENDOR_ID_INTEL, 0x3a3e, NULL); if (!pdev) return; + + if (risky_device(pdev)) { + pci_dev_put(pdev); + return; + } + pci_dev_put(pdev); /* System Management Registers. Might be hidden, in which case @@ -6342,6 +6374,11 @@ static void __init check_tylersburg_isoch(void) if (!pdev) return; + if (risky_device(pdev)) { + pci_dev_put(pdev); + return; + } + if (pci_read_config_dword(pdev, 0x188, &vtisochctrl)) { pci_dev_put(pdev); return; -- 2.25.1