The verification of the Stable Release Update for linux-azure has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-oem in Ubuntu. https://bugs.launchpad.net/bugs/1820153 Title: [SRU][B/C/OEM]IOMMU: add kernel dma protection Status in HWE Next: Fix Released Status in linux package in Ubuntu: Invalid Status in linux-oem package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux-oem source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux-oem source package in Cosmic: Fix Released Bug description: SRU justification: [Impact] Recent systems shipping with "kernel DMA protection" = "enabled" by default in BIOS. This setting option changed "Thunderbolt Security Level" = "No Security (SL0)". With this setting systems will be vulnerable to a DMA attack by a thunderbolt device. OS can use IOMMU to defend against DMA attacks from a PCI device like thunderbolt one. Intel adds DMA_CTRL_PLATFORM_OPT_IN_FLAG flag in DMAR ACPI table. Use this flag to enable IOMMU and use _DSD to identify untrusted PCI devices. [Fix] Enable IOMMU when BIOS supports DMA opt in flag and ExternalFacingPort in _DSD. Disable ATS on the untrusted PCI device. [Test] Tested on 2 Intel platforms that supports DMA opt in flag with a thunderbolt dock station. iommu enabled as expected with this fix. Verified by QA's full test with a temporary build of bionic-oem kernel. All test passed on one supported "DMA protection" system and one non-supported "DMA protection" system. [Regression Potential] Upstream fix, Verified on supported platforms, no affection on not supported platforms. Backported changes are fairly minimal. These patches are included in 5.0 kernel, disco is good. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/1820153/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
