iommu/vt-d: Disable ATS support on untrusted devices
Commit fb58fdcd ("iommu/vt-d: Do not enable ATS for untrusted devices") disables ATS support on the devices which have been marked as untrusted. Unfortunately this is not enough to fix the DMA attack vulnerabiltiies because IOMMU driver allows translated requests as long as a device advertises the ATS capability. Hence a malicious peripheral device could use this to bypass IOMMU. This disables the ATS support on untrusted devices by clearing the internal per-device ATS mark. As the result, IOMMU driver will block any translated requests from any device marked as untrusted. Cc: Jacob Pan <jacob.jun.pan@linux.intel.com> Cc: Mika Westerberg <mika.westerberg@linux.intel.com> Suggested-by: NKevin Tian <kevin.tian@intel.com> Suggested-by: NAshok Raj <ashok.raj@intel.com> Fixes: fb58fdcd ("iommu/vt-d: Do not enable ATS for untrusted devices") Signed-off-by: NLu Baolu <baolu.lu@linux.intel.com> Signed-off-by: NJoerg Roedel <jroedel@suse.de>
Showing
想要评论请 注册 或 登录