ich777/linux_media
1
0
Fork 0
mirror of https://github.com/tbsdtv/linux_media.git synced 2025-07-23 12:43:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

thunderbolt: Add support for PCIe tunneling disabled (SL5)

Browse Source 
Recent Intel Thunderbolt firmware connection manager has support for
another security level, SL5, that disables PCIe tunneling. This option
can be turned on from the BIOS.

When this is set the driver exposes a new security level "nopcie" to the
userspace and hides the authorized attribute under connected devices.

While there we also hide it when "dponly" security level is enabled
since it is not really usable in that case anyway.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: Yehezkel Bernat <YehezkelShB@gmail.com>
This commit is contained in:
Mika Westerberg
2020-09-03 13:13:21 +03:00
parent 8b0ab503c0
commit 3cd542e6e6
5 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/ABI/testing/sysfs-bus-thunderbolt
View File

@@ -85,6 +85,8 @@ Description: This attribute holds current Thunderbolt security level
usbonly Automatically tunnel USB controller of the usbonly Automatically tunnel USB controller of the
connected Thunderbolt dock (and Display Port). All connected Thunderbolt dock (and Display Port). All
PCIe links downstream of the dock are removed. PCIe links downstream of the dock are removed.
nopcie USB4 system where PCIe tunneling is disabled from
the BIOS.
======= ================================================== ======= ==================================================
What: /sys/bus/thunderbolt/devices/.../authorized What: /sys/bus/thunderbolt/devices/.../authorized

7
Documentation/admin-guide/thunderbolt.rst
View File

@@ -47,6 +47,9 @@ be DMA masters and thus read contents of the host memory without CPU and OS
knowing about it. There are ways to prevent this by setting up an IOMMU but knowing about it. There are ways to prevent this by setting up an IOMMU but
it is not always available for various reasons. it is not always available for various reasons.
Some USB4 systems have a BIOS setting to disable PCIe tunneling. This is
treated as another security level (nopcie).
The security levels are as follows: The security levels are as follows:
none none
@@ -77,6 +80,10 @@ The security levels are as follows:
Display Port in a dock. All PCIe links downstream of the dock are Display Port in a dock. All PCIe links downstream of the dock are
removed. removed.
nopcie
PCIe tunneling is disabled/forbidden from the BIOS. Available in some
USB4 systems.
The current security level can be read from The current security level can be read from
``/sys/bus/thunderbolt/devices/domainX/security`` where ``domainX`` is ``/sys/bus/thunderbolt/devices/domainX/security`` where ``domainX`` is
the Thunderbolt domain the host controller manages. There is typically the Thunderbolt domain the host controller manages. There is typically

12
drivers/thunderbolt/domain.c
View File

@@ -118,6 +118,7 @@ static const char * const tb_security_names[] = {
[TB_SECURITY_SECURE] = "secure", [TB_SECURITY_SECURE] = "secure",
[TB_SECURITY_DPONLY] = "dponly", [TB_SECURITY_DPONLY] = "dponly",
[TB_SECURITY_USBONLY] = "usbonly", [TB_SECURITY_USBONLY] = "usbonly",
[TB_SECURITY_NOPCIE] = "nopcie",
}; };
static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr, static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr,
@@ -243,8 +244,14 @@ static ssize_t deauthorization_show(struct device *dev,
char *buf) char *buf)
{ {
const struct tb *tb = container_of(dev, struct tb, dev); const struct tb *tb = container_of(dev, struct tb, dev);
bool deauthorization = false;
return sprintf(buf, "%d\n", !!tb->cm_ops->disapprove_switch); /* Only meaningful if authorization is supported */
if (tb->security_level == TB_SECURITY_USER ||
tb->security_level == TB_SECURITY_SECURE)
deauthorization = !!tb->cm_ops->disapprove_switch;
return sprintf(buf, "%d\n", deauthorization);
} }
static DEVICE_ATTR_RO(deauthorization); static DEVICE_ATTR_RO(deauthorization);
@@ -452,6 +459,9 @@ int tb_domain_add(struct tb *tb)
goto err_ctl_stop; goto err_ctl_stop;
} }
tb_dbg(tb, "security level set to %s\n",
tb_security_names[tb->security_level]);
ret = device_add(&tb->dev); ret = device_add(&tb->dev);
if (ret) if (ret)
goto err_ctl_stop; goto err_ctl_stop;

6
drivers/thunderbolt/switch.c
View File

@@ -1774,7 +1774,11 @@ static umode_t switch_attr_is_visible(struct kobject *kobj,
struct device *dev = kobj_to_dev(kobj); struct device *dev = kobj_to_dev(kobj);
struct tb_switch *sw = tb_to_switch(dev); struct tb_switch *sw = tb_to_switch(dev);
if (attr == &dev_attr_device.attr) { if (attr == &dev_attr_authorized.attr) {
if (sw->tb->security_level == TB_SECURITY_NOPCIE ||
sw->tb->security_level == TB_SECURITY_DPONLY)
return 0;
} else if (attr == &dev_attr_device.attr) {
if (!sw->device) if (!sw->device)
return 0; return 0;
} else if (attr == &dev_attr_device_name.attr) { } else if (attr == &dev_attr_device_name.attr) {

3
include/linux/thunderbolt.h
View File

@@ -45,6 +45,8 @@ enum tb_cfg_pkg_type {
* @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected * @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected
* Thunderbolt dock (and Display Port). All PCIe * Thunderbolt dock (and Display Port). All PCIe
* links downstream of the dock are removed. * links downstream of the dock are removed.
* @TB_SECURITY_NOPCIE: For USB4 systems this level is used when the
* PCIe tunneling is disabled from the BIOS.
*/ */
enum tb_security_level { enum tb_security_level {
TB_SECURITY_NONE, TB_SECURITY_NONE,
@@ -52,6 +54,7 @@ enum tb_security_level {
TB_SECURITY_SECURE, TB_SECURITY_SECURE,
TB_SECURITY_DPONLY, TB_SECURITY_DPONLY,
TB_SECURITY_USBONLY, TB_SECURITY_USBONLY,
TB_SECURITY_NOPCIE,
}; };
/** /**