提交 cef74409 编写于 作者: G Gil Kupfer 提交者: Bjorn Helgaas

PCI: Add "pci=noats" boot parameter

Adds a "pci=noats" boot parameter.  When supplied, all ATS related
functions fail immediately and the IOMMU is configured to not use
device-IOTLB.

Any function that checks for ATS capabilities directly against the devices
should also check this flag.  Currently, such functions exist only in IOMMU
drivers, and they are covered by this patch.

The motivation behind this patch is the existence of malicious devices.
Lots of research has been done about how to use the IOMMU as protection
from such devices.  When ATS is supported, any I/O device can access any
physical address by faking device-IOTLB entries.  Adding the ability to
ignore these entries lets sysadmins enhance system security.
Signed-off-by: NGil Kupfer <gilkup@cs.technion.ac.il>
Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
Acked-by: NJoerg Roedel <jroedel@suse.de>
上级 f154a718
...@@ -3147,6 +3147,8 @@ ...@@ -3147,6 +3147,8 @@
on: Turn realloc on on: Turn realloc on
realloc same as realloc=on realloc same as realloc=on
noari do not use PCIe ARI. noari do not use PCIe ARI.
noats [PCIE, Intel-IOMMU, AMD-IOMMU]
do not use PCIe ATS (and IOMMU device IOTLB).
pcie_scan_all Scan all possible PCIe devices. Otherwise we pcie_scan_all Scan all possible PCIe devices. Otherwise we
only look for one device below a PCIe downstream only look for one device below a PCIe downstream
port. port.
......
...@@ -355,6 +355,9 @@ static bool pci_iommuv2_capable(struct pci_dev *pdev) ...@@ -355,6 +355,9 @@ static bool pci_iommuv2_capable(struct pci_dev *pdev)
}; };
int i, pos; int i, pos;
if (pci_ats_disabled())
return false;
for (i = 0; i < 3; ++i) { for (i = 0; i < 3; ++i) {
pos = pci_find_ext_capability(pdev, caps[i]); pos = pci_find_ext_capability(pdev, caps[i]);
if (pos == 0) if (pos == 0)
...@@ -3524,9 +3527,11 @@ int amd_iommu_device_info(struct pci_dev *pdev, ...@@ -3524,9 +3527,11 @@ int amd_iommu_device_info(struct pci_dev *pdev,
memset(info, 0, sizeof(*info)); memset(info, 0, sizeof(*info));
if (!pci_ats_disabled()) {
pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS); pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS);
if (pos) if (pos)
info->flags |= AMD_IOMMU_DEVICE_FLAG_ATS_SUP; info->flags |= AMD_IOMMU_DEVICE_FLAG_ATS_SUP;
}
pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_PRI); pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_PRI);
if (pos) if (pos)
......
...@@ -2459,7 +2459,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu, ...@@ -2459,7 +2459,8 @@ static struct dmar_domain *dmar_insert_one_dev_info(struct intel_iommu *iommu,
if (dev && dev_is_pci(dev)) { if (dev && dev_is_pci(dev)) {
struct pci_dev *pdev = to_pci_dev(info->dev); struct pci_dev *pdev = to_pci_dev(info->dev);
if (ecap_dev_iotlb_support(iommu->ecap) && if (!pci_ats_disabled() &&
ecap_dev_iotlb_support(iommu->ecap) &&
pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) && pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ATS) &&
dmar_find_matched_atsr_unit(pdev)) dmar_find_matched_atsr_unit(pdev))
info->ats_supported = 1; info->ats_supported = 1;
......
...@@ -20,6 +20,9 @@ void pci_ats_init(struct pci_dev *dev) ...@@ -20,6 +20,9 @@ void pci_ats_init(struct pci_dev *dev)
{ {
int pos; int pos;
if (pci_ats_disabled())
return;
pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ATS); pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ATS);
if (!pos) if (!pos)
return; return;
......
...@@ -112,6 +112,14 @@ unsigned int pcibios_max_latency = 255; ...@@ -112,6 +112,14 @@ unsigned int pcibios_max_latency = 255;
/* If set, the PCIe ARI capability will not be used. */ /* If set, the PCIe ARI capability will not be used. */
static bool pcie_ari_disabled; static bool pcie_ari_disabled;
/* If set, the PCIe ATS capability will not be used. */
static bool pcie_ats_disabled;
bool pci_ats_disabled(void)
{
return pcie_ats_disabled;
}
/* Disable bridge_d3 for all PCIe ports */ /* Disable bridge_d3 for all PCIe ports */
static bool pci_bridge_d3_disable; static bool pci_bridge_d3_disable;
/* Force bridge_d3 for all PCIe ports */ /* Force bridge_d3 for all PCIe ports */
...@@ -5793,6 +5801,9 @@ static int __init pci_setup(char *str) ...@@ -5793,6 +5801,9 @@ static int __init pci_setup(char *str)
if (*str && (str = pcibios_setup(str)) && *str) { if (*str && (str = pcibios_setup(str)) && *str) {
if (!strcmp(str, "nomsi")) { if (!strcmp(str, "nomsi")) {
pci_no_msi(); pci_no_msi();
} else if (!strncmp(str, "noats", 5)) {
pr_info("PCIe: ATS is disabled\n");
pcie_ats_disabled = true;
} else if (!strcmp(str, "noaer")) { } else if (!strcmp(str, "noaer")) {
pci_no_aer(); pci_no_aer();
} else if (!strncmp(str, "realloc=", 8)) { } else if (!strncmp(str, "realloc=", 8)) {
......
...@@ -1479,6 +1479,8 @@ static inline void pcie_set_ecrc_checking(struct pci_dev *dev) { } ...@@ -1479,6 +1479,8 @@ static inline void pcie_set_ecrc_checking(struct pci_dev *dev) { }
static inline void pcie_ecrc_get_policy(char *str) { } static inline void pcie_ecrc_get_policy(char *str) { }
#endif #endif
bool pci_ats_disabled(void);
#ifdef CONFIG_PCI_ATS #ifdef CONFIG_PCI_ATS
/* Address Translation Service */ /* Address Translation Service */
void pci_ats_init(struct pci_dev *dev); void pci_ats_init(struct pci_dev *dev);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册