| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jan 2024 11:03:18 -0500 From: Esther Shimanovich <eshimanovich@...omium.org> To: Mika Westerberg <mika.westerberg@...ux.intel.com> Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>, Mario Limonciello <mario.limonciello@....com>, Lukas Wunner <lukas@...ner.de>, Bjorn Helgaas <bhelgaas@...gle.com>, linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org, Rajat Jain <rajatja@...gle.com> Subject: Re: [PATCH v4] PCI: Relabel JHL6540 on Lenovo X1 Carbon 7,8 On Thu, Jan 18, 2024 at 1:01 AM Mika Westerberg <mika.westerberg@...ux.intel.com> wrote: > > Well that's pretty much all Intel Titan Ridge and Maple Ridge based > systems. Some early ones did not use IOMMU but all the rest do. .. > Before Intel Ice Lake it was all discrete and it is still discrete with > the Barlow Ridge controller who will have exact same ExternalFacing port > as the previous models. Next week I'll try those devices in our inventory to see if I can find another one with this bug. I'll get back to you on that! On Fri, Jan 19, 2024 at 2:58 AM Mika Westerberg <mika.westerberg@...ux.intel.com> wrote: > > Now if I understand the reason behind this patch is actually not about > "removability" that much than about identifying a trusted vs. untrusted > device and attaching a driver to those. I was under impression that > there is already a solution to this in ChromeOS kernel. It has an > allowlist of drivers that are allowed to attach these devices and that > includes the PCIe port drivers, xhci_hcd and the thunderbolt driver, > possibly something else too. Is this not working for your case? This device shouldn’t be treated as a removable thunderbolt device that is enabled by policy because it is an internal device that should be trusted in the first place. Even so, while learning about this problem I tried modifying the ChromeOS policy but it ended up not fixing the issue because it seems like there is an expectation for it to see an existing “fixed” thunderbolt port before it loads anything else. But the fixed thunderbolt port is prevented from enumerating during bootup, before the policy has a chance to work. On Fri, Jan 19, 2024 at 5:23 AM Mika Westerberg <mika.westerberg@...ux.intel.com> wrote: > > The below "might" work: > > 1. A device that is directly behind a PCIe root or downstream port that > has ->external_facing == 1. > > 2. It is a PCIe endpoint. > > 3. It is a sibling to or has any of the below PCI IDs (see > drivers/thunderbolt/nhi.h for the definitions): External pci devices seem to have the same kinds of chips in them. So this wouldn’t distinguish the “fixed but discrete” embedded pci devices from the “removable” pcie through usb devices. My monitor with thunderbolt capabilities has the JHL7540 chip in it. From the kernel's perspective, I have only found that the subsystem id is what distinguishes these devices. That is, unless I am missing something in your proposal that would distinguish a fixed JHL6540 chip from an external JHL6540 chip. Please correct me on any assumptions I get wrong!
Powered by blists - more mailing lists