integ/kernel/kernel-std/centos/patches/intel-iommu-allow-ignoring-Ethernet-device-RMRR-with.patch
zhiguo.zhang 30788066d6 Upgrade std kernel patch to CentOS7.6 3.10.0-957.12.2
New set of CVEs was reported against Intel CPUs: CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091.
For these CVEs there are RH and CentOS updates available.

CVE-2018-12126:
Microarchitectural Store Buffer Data Sampling (MSBDS):
Store buffers on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially
enable information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf

CVE-2018-12127:
Microarchitectural Load Port Data Sampling (MLPDS):
Load ports on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf

CVE-2018-12130:
Microarchitectural Fill Buffer Data Sampling (MFBDS):
Fill buffers on some microprocessors utilizing speculative execution
may allow an authenticated user to potentially enable information
disclosure via a side channel with local access. A list of impacted
products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf

CVE-2019-11091:
Microarchitectural Data Sampling Uncacheable Memory(MDSUM):
Uncacheable memory on some microprocessors utilizing speculative
execution may allow an authenticated user to potentially enable
information disclosure via a side channel with local access.
A list of impacted products can be found here:
https://www.intel.com/content/dam/www/public/us/en/documents/
corporate-information/SA00233-microcode-update-guidance_05132019.pdf

These are from the http://cve.mitre.org website.
These are the MDS security CVEs.

The patch is modified as follows:
1.Delete the 929-931 line of the arch/x86/kernel/cpu/cacheinfo.c file,
  because starlingx's Porting-Cacheinfo-from-Kernel-4.10.17.patch
  removes the ici_cpuid4_info structure.

2.The build-logic-and-sources-for-TiC.patch version number
  has been modified.

3.In addition to the modifications in the files in 1 and 2,
  other patches only modify the line number.

Closes-Bug: 1830487
Depends-On: https://review.opendev.org/663071
Change-Id: I4cad783311ed4a6c60b4f69bdad75d773d0cd23d
Signed-off-by: zhiguo.zhang <zhiguox.zhang@intel.com>
2019-06-11 11:09:32 +08:00

121 lines
5.2 KiB
Diff

From c449e4c490ac85ccf04e8aab67c8120aa48f8ad0 Mon Sep 17 00:00:00 2001
Message-Id: <c449e4c490ac85ccf04e8aab67c8120aa48f8ad0.1527544850.git.Jim.Somerville@windriver.com>
In-Reply-To: <b6ceef1c915827b50ce3f76da4dc47f3eb768b44.1527544850.git.Jim.Somerville@windriver.com>
References: <b6ceef1c915827b50ce3f76da4dc47f3eb768b44.1527544850.git.Jim.Somerville@windriver.com>
From: Matt Peters <matt.peters@windriver.com>
Date: Mon, 30 May 2016 10:51:02 -0400
Subject: [PATCH 08/26] intel-iommu: allow ignoring Ethernet device RMRR with
IOMMU passthrough
Some BIOS's are reporting DMAR RMRR entries for Ethernet devices
which is causing problems when PCI passthrough is enabled. These
devices should be able to use the static identity map since the
host should not be enforcing specific address ranges when IOMMU
passthrough is enabled.
Originally-by: Matt Peters <matt.peters@windriver.com>
[PG: Added bootarg wrapper and documentation entries.]
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Nam Ninh <nam.ninh@windriver.com>
Signed-off-by: Nam Ninh <nam.ninh@windriver.com>
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
---
Documentation/Intel-IOMMU.txt | 18 ++++++++++++++++++
Documentation/kernel-parameters.txt | 5 +++++
drivers/iommu/intel-iommu.c | 19 +++++++++++++++++++
3 files changed, 42 insertions(+)
diff --git a/Documentation/Intel-IOMMU.txt b/Documentation/Intel-IOMMU.txt
index cf9431d..1dcc349 100644
--- a/Documentation/Intel-IOMMU.txt
+++ b/Documentation/Intel-IOMMU.txt
@@ -32,6 +32,24 @@ regions will fail. Hence BIOS uses RMRR to specify these regions along with
devices that need to access these regions. OS is expected to setup
unity mappings for these regions for these devices to access these regions.
+RMRR for other devices?
+-----------------------
+
+There are reports of BIOS out there that indicate RMRR regions for things
+like ethernet devices. As per mainline commit c875d2c1b8083 ("iommu/vt-d:
+ Exclude devices using RMRRs from IOMMU API domains") such a device is
+"fundamentally incompatible" with the IOMMU API and "we must prevent such
+devices from being used by the IOMMU API." However, in the event that
+the RMRR indicated by the BIOS is assumed to be just a reporting error,
+there is an additional iommu boot arg that can be used to ignore RMRR
+settings for ethernet, i.e. "intel_iommu=on,eth_no_rmrr iommu=pt".
+Note that iommu=pt is required in order to eth_no_rmrr to have effect.
+
+If you use this setting, you should consult with your hardware vendor to
+confirm that it is just a reporting error, and that it truly is not
+actively using any DMA to/from RMRR, as otherwise system instability
+may result.
+
How is IOVA generated?
---------------------
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 2f7feb0..590c8c2 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1315,6 +1315,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
than 32-bit addressing. The default is to look
for translation below 32-bit and if not available
then look in the higher range.
+ eth_no_rmrr [Default Off]
+ With this option provided, the kernel will ignore
+ any specified RMRR regions specified by the BIOS
+ for PCI ethernet devices. Confirm with your hardware
+ vendor the RMRR regions are indeed invalid first.
strict [Default Off]
With this option on every unmap_single operation will
result in a hardware IOTLB flush operation as opposed
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index 260597e..6c16b68 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -480,6 +480,7 @@ static int dmar_forcedac;
static int intel_iommu_strict;
static int intel_iommu_superpage = 1;
static int intel_iommu_ecs = 1;
+static int intel_iommu_ethrmrr = 1;
/* We only actually use ECS when PASID support (on the new bit 40)
* is also advertised. Some early implementations — the ones with
@@ -539,6 +540,15 @@ static int __init intel_iommu_setup(char *str)
} else if (!strncmp(str, "forcedac", 8)) {
pr_info("Forcing DAC for PCI devices\n");
dmar_forcedac = 1;
+ } else if (!strncmp(str, "eth_no_rmrr", 11)) {
+ if (!iommu_pass_through) {
+ printk(KERN_WARNING
+ "Intel-IOMMU: error - eth_no_rmrr requires iommu=pt\n");
+ } else {
+ printk(KERN_INFO
+ "Intel-IOMMU: ignoring ethernet RMRR values\n");
+ intel_iommu_ethrmrr = 0;
+ }
} else if (!strncmp(str, "strict", 6)) {
pr_info("Disable batched IOTLB flush\n");
intel_iommu_strict = 1;
@@ -2820,6 +2830,15 @@ static bool device_is_rmrr_locked(struct device *dev)
if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
return false;
+ /* As a temporary workaround for issues seen on ProLiant DL380p,
+ * allow the operator to ignore the RMRR settings for ethernet
+ * devices. Ideally the end user should contact their vendor
+ * regarding why there are RMRR, as per mainline c875d2c1b8083
+ * ("iommu/vt-d: Exclude devices using RMRRs from IOMMU API domains")
+ * it seems that these make no sense at all.
+ */
+ if ((pdev->class >> 8) == PCI_CLASS_NETWORK_ETHERNET && !intel_iommu_ethrmrr)
+ return false;
}
return true;
--
1.8.3.1