Re: [PATCH 1/4] iommu/vt-d: Disable ATS support on untrusted devices

From: Mika Westerberg
Date: Sat Mar 02 2019 - 03:29:40 EST

Next message: Huang\, Ying: "Re: [LKP] [page cache] eb797a8ee0: vm-scalability.throughput -16.5% regression"
Previous message: Alex Ghiti: "Re: [PATCH] scripts: checkpatch: Check multiple blank lines when deleting code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 01, 2019 at 11:23:10AM +0800, Lu Baolu wrote:
> Commit fb58fdcd295b9 ("iommu/vt-d: Do not enable ATS for untrusted
> devices") disables ATS support on the devices which have been marked
> as untrusted. Unfortunately this is not enough to fix the DMA attack
> vulnerabiltiies because IOMMU driver allows translated requests as
> long as a device advertises the ATS capability. Hence a malicious
> peripheral device could use this to bypass IOMMU.
>
> This disables the ATS support on untrusted devices by clearing the
> internal per-device ATS mark. As the result, IOMMU driver will block
> any translated requests from any device marked as untrusted.
>
> Cc: Jacob Pan <jacob.jun.pan@xxxxxxxxxxxxxxx>
> Cc: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>

Reviewed-by: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>

Next message: Huang\, Ying: "Re: [LKP] [page cache] eb797a8ee0: vm-scalability.throughput -16.5% regression"
Previous message: Alex Ghiti: "Re: [PATCH] scripts: checkpatch: Check multiple blank lines when deleting code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]