projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 95feb31) | patch
dmaengine: idxd: add a new security check to deal with a hardware erratum
authorArjan van de Ven <arjan@linux.intel.com>
Wed, 24 Apr 2024 14:43:22 +0000 (14:43 +0000)
committerArjan van de Ven <arjan@linux.intel.com>
Mon, 13 May 2024 14:07:40 +0000 (14:07 +0000)
commite11452eb071b2a8e6ba52892b2e270bbdaa6640d
tree42c2b4a782fc0c5900d425f11eb7b97e4cb297d4tree | snapshot
parent95feb3160eef0caa6018e175a5560b816aee8e79commit | diff
dmaengine: idxd: add a new security check to deal with a hardware erratum

On Sapphire Rapids and related platforms, the DSA and IAA devices have an
erratum that causes direct access (for example, by using the ENQCMD or
MOVDIR64 instructions) from untrusted applications to be a security problem.

To solve this, add a flag to the PCI device enumeration and device structures
to indicate the presence/absence of this security exposure. In the mmap()
method of the device, this flag is then used to enforce that the user
has the CAP_SYS_RAWIO capability.

In a future patch, a write() based method will be added that allows untrusted
applications submit work to the accelerator, where the kernel can do
sanity checking on the user input to ensure secure operation of the accelerator.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
drivers/dma/idxd/cdev.c diff | blob | blame | history
drivers/dma/idxd/idxd.h diff | blob | blame | history
drivers/dma/idxd/init.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)