asedeno.scripts.mit.edu Git - linux.git/commit

author	Lu Baolu <baolu.lu@linux.intel.com>
	Fri, 1 Mar 2019 03:23:10 +0000 (11:23 +0800)
committer	Joerg Roedel <jroedel@suse.de>
	Fri, 1 Mar 2019 09:23:35 +0000 (10:23 +0100)
commit	d8b8591054575f33237556c32762d54e30774d28
tree	2cfcf6e571666e190f487838b3e494576b007c36	tree \| snapshot
parent	fff42928ade591969836ff49888d063b829ac888	commit \| diff

iommu/vt-d: Disable ATS support on untrusted devices

Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
devices") disables ATS support on the devices which have been marked
as untrusted. Unfortunately this is not enough to fix the DMA attack
vulnerabiltiies because IOMMU driver allows translated requests as
long as a device advertises the ATS capability. Hence a malicious
peripheral device could use this to bypass IOMMU.

This disables the ATS support on untrusted devices by clearing the
internal per-device ATS mark. As the result, IOMMU driver will block
any translated requests from any device marked as untrusted.

Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Suggested-by: Kevin Tian <kevin.tian@intel.com>
Suggested-by: Ashok Raj <ashok.raj@intel.com>
Fixes: fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>