** Description changed: SRU justification: [Impact] + Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". + With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. + OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good.
** Description changed: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. + Verified by QA's full test with a temporary build of bionic-oem kernel. + All test passed on one supported "DMA protection" system and one + non-supported "DMA protection" system. + [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
