[Impact]
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table.
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.
SRU justification:
[Impact] PLATFORM_ OPT_IN_ FLAG flag in DMAR ACPI table.
OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one.
Intel adds DMA_CTRL_
Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices.
[Fix]
Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD.
Disable ATS on the untrusted PCI device.
[Test]
Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station.
iommu enabled as expected with this fix.
[Regression Potential]
Upstream fix, Verified on supported platforms, no affection on not supported platforms.
Backported changes are fairly minimal.
These patches are included in 5.0 kernel, disco is good.