Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • bolt bolt
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 36
    • Issues 36
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • bolt
  • boltbolt
  • Issues
  • #128

Closed
Open
Created Nov 29, 2018 by Christian Kellner@gicmoOwner6 of 6 tasks completed6/6 tasks

IOMMU DMA protection support

Newer hardware will add support for using IOMMU to protect against DMA attacks. The kernel support for this has been posted and will probably land in 4.21.

Support will be indicated via /sys/bus/thunderbolt/devices/domainX/iommu_dma_protection (with 1 indicating that the system is protected). On such systems the existing security levels are redundant because attack protection is already done the hardware.

ToDo:

  1. ReaddomainX/iommu_dma_protection and expose as as property of BoltDomain
  2. boltctl should indicate the actual protection in addition to the security level
  3. device handling for newly connected when iommu is active
    • auto-enroll new devices (with new IOMMU policy)
    • auto-authorize devices with IOMMU policy
    • auto-import new devices (with new IOMMU policy)
  4. Adjust policy from DEFAULT to IOMMU when manually enrolling a device and iommu is active
Edited Feb 04, 2019 by Christian Kellner
Assignee
Assign to
Time tracking