Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1975963ybh;
        Tue, 14 Jul 2020 12:05:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw0JiHDfXJWZkklirkLoXqKaCLghIIlZZev8Bls8fsShUmMKuK4LLf4C+vZnSGVk9timjWF
X-Received: by 2002:a17:906:3e54:: with SMTP id t20mr5762523eji.471.1594753518766;
        Tue, 14 Jul 2020 12:05:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594753518; cv=none;
        d=google.com; s=arc-20160816;
        b=bSFiigKh9d9OAV8BsFnt6VQ0tHhtJbYuMdDkxRFY1k0LQTQqGwUENJbcYkzi1z0Ot1
         FBUuC0Dds6XgRLgYjgFD3p0u7I5DgABRyYztF1jYr0wUXWu+roJ9nprQ6cDRZeKSG0h/
         TFbhlJQsQ2M2iL2m04nGWOsTJbC/yRMmmHCzTp2NH8MNMidXph4zJyt5hqvnlIUgIuYt
         IIH5g7S+Fr+Oml9UxXQZ/+XPMHHkJJZ9Ld5QHR3Vygx5LHRPe6K59jJnghchqhs75mxc
         w71bX9KZwsLaCee3/tkTdA66sm+2Bmu5+o4lvelWqP0sTSTz5baRBbPacemZShAXr1F9
         dkyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=FLQfP4KEIroUwG5NRXnId//0o/H9T3boi3081eRdjkQ=;
        b=Av0RsVVqkhCnj3a9B0/50J8oE7vFd1WNFnfZyFkKPoT2MzFCzf5uFvMk0Gcz4w6e+6
         Dj7WdeznWJS1H6c2GYLHLXFiOC/g6v54sAm0zire0K7+foWYfoMGC38liQNvd3yphRcH
         04Yf3N1g7CMYsi+4Y6PSDOWkkZi9qVkwTMAbzMa6EW56yMEluRJDRDwfWWVA6vQr3e2U
         iRU/FOMfsFuLTXQjPJ7QtOrlpBT/fJo9Oc4rIP9zLbD+CKv1dVt1g4WJ4n3WyG7lcutr
         iUMoHdfRvm35eoEwusvhzjJMKFOG2hz/uln8PBSl1bdstNKhOA+13Frng10OpFDmuZn1
         +ehw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NjN+rqZN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v21si12177814ejg.127.2020.07.14.12.04.54;
        Tue, 14 Jul 2020 12:05:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NjN+rqZN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731336AbgGNTEv (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Tue, 14 Jul 2020 15:04:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:53438 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729718AbgGNSzl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jul 2020 14:55:41 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 45A5B22282;
        Tue, 14 Jul 2020 18:55:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1594752940;
        bh=/63arVv2yF+aZ8Pzf5dquTJuilNwkjyY26Szdcnco3I=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NjN+rqZNn1AG3hf1g8nE5GGEhJHvU/z8Scmdz1xfcDG/ZIRzDqRcM4cvPscceS88K
         SrkZy8PYPeimR5H5U2UgduOJ3vO3LhO9IuiwVMnL34XqtiA8HWm+dLJ4BIB0MhYT6A
         ko4TtK4UqBdhFl5Yn5H/TSPPnmnP9HHhEOChD0Sk=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Rajat Jain <rajatja@google.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Mika Westerberg <mika.westerberg@linux.intel.com>,
        Lu Baolu <baolu.lu@linux.intel.com>,
        Joerg Roedel <jroedel@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.7 028/166] iommu/vt-d: Dont apply gfx quirks to untrusted devices
Date:   Tue, 14 Jul 2020 20:43:13 +0200
Message-Id: <20200714184117.232454967@linuxfoundation.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200714184115.844176932@linuxfoundation.org>
References: <20200714184115.844176932@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Rajat Jain <rajatja@google.com>

[ Upstream commit 67e8a5b18d41af9298db5c17193f671f235cce01 ]

Currently, an external malicious PCI device can masquerade the VID:PID
of faulty gfx devices, and thus apply iommu quirks to effectively
disable the IOMMU restrictions for itself.

Thus we need to ensure that the device we are applying quirks to, is
indeed an internal trusted device.

Signed-off-by: Rajat Jain <rajatja@google.com>
Reviewed-by: Ashok Raj <ashok.raj@intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/20200622231345.29722-4-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/intel-iommu.c | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 34b2ed91cf4d9..2acf2842c3bd2 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -6206,6 +6206,23 @@ intel_iommu_domain_set_attr(struct iommu_domain *domain,
 	return ret;
 }
 
+/*
+ * Check that the device does not live on an external facing PCI port that is
+ * marked as untrusted. Such devices should not be able to apply quirks and
+ * thus not be able to bypass the IOMMU restrictions.
+ */
+static bool risky_device(struct pci_dev *pdev)
+{
+	if (pdev->untrusted) {
+		pci_info(pdev,
+			 "Skipping IOMMU quirk for dev [%04X:%04X] on untrusted PCI link\n",
+			 pdev->vendor, pdev->device);
+		pci_info(pdev, "Please check with your BIOS/Platform vendor about this\n");
+		return true;
+	}
+	return false;
+}
+
 const struct iommu_ops intel_iommu_ops = {
 	.capable		= intel_iommu_capable,
 	.domain_alloc		= intel_iommu_domain_alloc,
@@ -6235,6 +6252,9 @@ const struct iommu_ops intel_iommu_ops = {
 
 static void quirk_iommu_igfx(struct pci_dev *dev)
 {
+	if (risky_device(dev))
+		return;
+
 	pci_info(dev, "Disabling IOMMU for graphics on this chipset\n");
 	dmar_map_gfx = 0;
 }
@@ -6276,6 +6296,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x163D, quirk_iommu_igfx);
 
 static void quirk_iommu_rwbf(struct pci_dev *dev)
 {
+	if (risky_device(dev))
+		return;
+
 	/*
 	 * Mobile 4 Series Chipset neglects to set RWBF capability,
 	 * but needs it. Same seems to hold for the desktop versions.
@@ -6306,6 +6329,9 @@ static void quirk_calpella_no_shadow_gtt(struct pci_dev *dev)
 {
 	unsigned short ggc;
 
+	if (risky_device(dev))
+		return;
+
 	if (pci_read_config_word(dev, GGC, &ggc))
 		return;
 
@@ -6339,6 +6365,12 @@ static void __init check_tylersburg_isoch(void)
 	pdev = pci_get_device(PCI_VENDOR_ID_INTEL, 0x3a3e, NULL);
 	if (!pdev)
 		return;
+
+	if (risky_device(pdev)) {
+		pci_dev_put(pdev);
+		return;
+	}
+
 	pci_dev_put(pdev);
 
 	/* System Management Registers. Might be hidden, in which case
@@ -6348,6 +6380,11 @@ static void __init check_tylersburg_isoch(void)
 	if (!pdev)
 		return;
 
+	if (risky_device(pdev)) {
+		pci_dev_put(pdev);
+		return;
+	}
+
 	if (pci_read_config_dword(pdev, 0x188, &vtisochctrl)) {
 		pci_dev_put(pdev);
 		return;
-- 
2.25.1