On Mon, Nov 12, 2018 at 07:06:26PM +0300, Mika Westerberg wrote: > From: Lu Baolu <baolu...@linux.intel.com> > > Intel VT-d spec added a new DMA_CTRL_PLATFORM_OPT_IN_FLAG flag > in DMAR ACPI table for BIOS to report compliance about platform > initiated DMA restricted to RMRR ranges when transferring control > to the OS. The OS treats this as a hint that the IOMMU should be > enabled to prevent DMA attacks from possible malicious devices. > > A use of this flag is Kernel DMA protection for Thunderbolt[1] > which in practice means that IOMMU should be enabled for PCIe > devices connected to the Thunderbolt ports. With IOMMU enabled > for these devices, all DMA operations are limited in the range > reserved for it, thus the DMA attacks are prevented. All these > devices are enumerated in the PCI/PCIe module and marked with > an is_external flag. > > This forces IOMMU to be enabled if DMA_CTRL_PLATFORM_OPT_IN_FLAG > is set in DMAR ACPI table and there are PCIe devices marked as > is_external in the system. This can be turned off by adding > "intel_iommu=off" in the kernel command line, if any problems are > found. > > [1] > https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt > > Cc: Ashok Raj <ashok....@intel.com> > Cc: Jacob Pan <jacob.jun....@linux.intel.com> > Cc: Sohil Mehta <sohil.me...@intel.com> > Signed-off-by: Lu Baolu <baolu...@linux.intel.com> > Signed-off-by: Mika Westerberg <mika.westerb...@linux.intel.com>
Looks good to me Reviewed-by: Ashok Raj <ashok....@intel.com> > --- > drivers/iommu/dmar.c | 25 +++++++++++++++++ > drivers/iommu/intel-iommu.c | 55 +++++++++++++++++++++++++++++++++++-- > include/linux/dmar.h | 8 ++++++ > 3 files changed, 86 insertions(+), 2 deletions(-) _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
