From: Bjorn Helgaas <helgaas@kernel.org>
To: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: iommu@lists.linux-foundation.org, Joerg Roedel <joro@8bytes.org>,
David Woodhouse <dwmw2@infradead.org>,
Lu Baolu <baolu.lu@linux.intel.com>,
Ashok Raj <ashok.raj@intel.com>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Jacob jun Pan <jacob.jun.pan@intel.com>,
Andreas Noever <andreas.noever@gmail.com>,
Michael Jamet <michael.jamet@intel.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>,
Lukas Wunner <lukas@wunner.de>,
Christian Kellner <ckellner@redhat.com>,
Mario.Limonciello@dell.com,
Anthony Wong <anthony.wong@canonical.com>,
Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
Christoph Hellwig <hch@infradead.org>,
Alex Williamson <alex.williamson@redhat.com>,
linux-acpi@vger.kernel.org, linux-pci@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/4] PCI / ACPI: Identify untrusted PCI devices
Date: Wed, 28 Nov 2018 14:31:28 -0600 [thread overview]
Message-ID: <20181128203128.GA178809@google.com> (raw)
In-Reply-To: <20181127085426.GI2296@lahna.fi.intel.com>
On Tue, Nov 27, 2018 at 10:54:26AM +0200, Mika Westerberg wrote:
> On Mon, Nov 26, 2018 at 06:17:11PM -0600, Bjorn Helgaas wrote:
> > Hi Mika,
>
> Hi,
>
> > On Mon, Nov 26, 2018 at 02:15:23PM +0300, Mika Westerberg wrote:
> > > Recent systems with Thunderbolt ports may support IOMMU natively.
> >
> > This sentence doesn't make sense to me. There's no logical connection
> > between having an IOMMU and having a Thunderbolt port.
> >
> > > This means that the platform utilizes IOMMU to prevent DMA attacks
> > > over externally exposed PCIe root ports (typically Thunderbolt
> > > ports)
> >
> > Nor this one. The platform only uses the IOMMU to prevent DMA attacks
> > if the OS chooses to do that.
I think by "platform" you're referring to the system firmware; I was
only thinking of the hardware, so the IOMMU wouldn't be used unless
someone (the OS) enabled it. But your cover letter talks about the
BIOS enabling some IOMMU functionality.
> I guess I'm trying to say here that the recent changes add such support
> to the platform BIOS that allows the OS to enable IOMMU without being
> compromised by a malicious device that is already connected. The BIOS
> sets the new ACPI DMAR bit in that case.
Ah, there's useful info to this effect in your [0/4] cover letter.
That info and the URL should be in the changelog of one of the patches so
it doesn't get lost.
> > > The system BIOS marks these PCIe root ports as being externally facing
> > > ports by implementing following ACPI _DSD [1] under the root port in
> > > question:
> >
> > There's no standard that requires this, so the best we can say is that
> > a system BIOS *may* mark externally facing ports with this mechanism.
>
> There is no standard but I'm quite sure this is something that will be
> required to be implemented properly by the OEM by Microsoft hardware
> compatibility suite.
Sure. Your statement suggests that all external ports will be marked
with the _DSD. I'm just pointing out that the OS can't assume that
because there are probably systems in the field that predate the _DSD.
Bjorn
next prev parent reply other threads:[~2018-11-28 20:31 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-26 11:15 [PATCH v2 0/4] PCI / iommu / thunderbolt: IOMMU based DMA protection Mika Westerberg
2018-11-26 11:15 ` Mika Westerberg
2018-11-26 11:15 ` [PATCH v2 1/4] PCI / ACPI: Identify untrusted PCI devices Mika Westerberg
2018-11-26 11:15 ` Mika Westerberg
[not found] ` <20181126111526.56340-2-mika.westerberg-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
2018-11-27 0:17 ` Bjorn Helgaas
2018-11-27 0:17 ` Bjorn Helgaas
[not found] ` <20181127001711.GC212532-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2018-11-27 8:54 ` Mika Westerberg
2018-11-27 8:54 ` Mika Westerberg
2018-11-27 16:49 ` Rafael J. Wysocki
2018-11-27 16:49 ` Rafael J. Wysocki
2018-11-28 20:31 ` Bjorn Helgaas [this message]
2018-11-27 17:14 ` Rafael J. Wysocki
2018-11-27 17:14 ` Rafael J. Wysocki
2018-11-27 19:10 ` Mario.Limonciello
2018-11-27 19:10 ` Mario.Limonciello
[not found] ` <CAJZ5v0he4BmyJ97=uwVpJtojhe0f5pTq81LBdAQG6RFy6edKrQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-11-28 10:54 ` Mika Westerberg
2018-11-28 10:54 ` Mika Westerberg
2018-11-28 11:24 ` Rafael J. Wysocki
2018-11-28 11:24 ` Rafael J. Wysocki
2018-11-28 11:39 ` Mika Westerberg
2018-11-28 11:39 ` Mika Westerberg
2018-11-26 11:15 ` [PATCH v2 2/4] iommu/vt-d: Force IOMMU on for platform opt in hint Mika Westerberg
2018-11-26 11:15 ` Mika Westerberg
2018-11-26 11:15 ` [PATCH v2 3/4] iommu/vt-d: Do not enable ATS for untrusted devices Mika Westerberg
2018-11-26 11:15 ` Mika Westerberg
2018-11-26 11:15 ` [PATCH v2 4/4] thunderbolt: Export IOMMU based DMA protection support to userspace Mika Westerberg
2018-11-26 11:15 ` Mika Westerberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181128203128.GA178809@google.com \
--to=helgaas@kernel.org \
--cc=Mario.Limonciello@dell.com \
--cc=YehezkelShB@gmail.com \
--cc=alex.williamson@redhat.com \
--cc=andreas.noever@gmail.com \
--cc=anthony.wong@canonical.com \
--cc=ashok.raj@intel.com \
--cc=baolu.lu@linux.intel.com \
--cc=ckellner@redhat.com \
--cc=dwmw2@infradead.org \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=jacob.jun.pan@intel.com \
--cc=joro@8bytes.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lorenzo.pieralisi@arm.com \
--cc=lukas@wunner.de \
--cc=michael.jamet@intel.com \
--cc=mika.westerberg@linux.intel.com \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.