| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID:
<SI2PR01MB43939A4D62F08C873D3954D2DC94A@SI2PR01MB4393.apcprd01.prod.exchangelabs.com>
Date: Fri, 23 Jan 2026 09:49:42 +0800
From: Wei Wang <wei.w.wang@...mail.com>
To: bhelgaas@...gle.com,
jgg@...dia.com,
akpm@...ux-foundation.org,
bp@...en8.de,
rdunlap@...radead.org,
alex@...zbot.org,
kevin.tian@...el.com
Cc: linux-kernel@...r.kernel.org,
linux-pci@...r.kernel.org,
wei.w.wang@...mail.com
Subject: [PATCH v2 1/2] PCI: Enable the enhanced ACS controls introduced by PCI_ACS_ECAP
The ACS Enhanced Capability introduces several new access controls to
improve device isolation. These new controls are particularly important
for device passthrough in virtualization scenarios.
For example, a DMA transaction from a device may target a guest physical
address that lies within the memory aperture of the switch's upstream
port, but not within any memory aperture or BAR space of a downstream
port. In such cases, the switch would generate an Unsupported Request (UR)
response to the device, which is undesirable. Enabling Unclaimed Request
Redirect Control ensures that these DMA requests are forwarded upstream
instead of being rejected.
The ACS DSP and USP Memory Target Access Control and ACS I/O Request
Blocking features similarly enhance device isolation. Device grouping in
Linux assumes that devices are properly isolated. Therefore, enable these
controls by default if PCI_ACS_ECAP is supported by the hardware. As with
other basic ACS access controls, these new controls can be configured via
the config_acs= boot parameter.
Signed-off-by: Wei Wang <wei.w.wang@...mail.com>
---
.../admin-guide/kernel-parameters.txt | 23 +++++++++++++------
drivers/pci/pci.c | 13 ++++++++++-
include/uapi/linux/pci_regs.h | 7 ++++++
3 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 5637bb35cb75..8f99f6d728b9 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5261,13 +5261,22 @@ Kernel parameters
flags.
ACS Flags is defined as follows:
- bit-0 : ACS Source Validation
- bit-1 : ACS Translation Blocking
- bit-2 : ACS P2P Request Redirect
- bit-3 : ACS P2P Completion Redirect
- bit-4 : ACS Upstream Forwarding
- bit-5 : ACS P2P Egress Control
- bit-6 : ACS Direct Translated P2P
+ bit-0 : ACS Source Validation
+ bit-1 : ACS Translation Blocking
+ bit-2 : ACS P2P Request Redirect
+ bit-3 : ACS P2P Completion Redirect
+ bit-4 : ACS Upstream Forwarding
+ bit-5 : ACS P2P Egress Control
+ bit-6 : ACS Direct Translated P2P
+ bit-7 : ACS I/O Request Blocking
+ bit-9:8 : ACS DSP Memory Target Access Ctrl
+ 00 : Direct Request access enabled
+ 01 : Request blocking enabled
+ 10 : Request redirect enabled
+ 11 : Reserved
+ bit-11:10 : ACS USP Memory Target Access Ctrl
+ Same encoding as bit-9:8
+ bit-12 : ACS Unclaimed Request Redirect Ctrl
Each bit can be marked as:
'0' – force disabled
'1' – force enabled
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 382ce8992387..c4cf835ec8ba 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -948,7 +948,10 @@ static void __pci_config_acs(struct pci_dev *dev, struct pci_acs *caps,
}
if (mask & ~(PCI_ACS_SV | PCI_ACS_TB | PCI_ACS_RR | PCI_ACS_CR |
- PCI_ACS_UF | PCI_ACS_EC | PCI_ACS_DT)) {
+ PCI_ACS_UF | PCI_ACS_EC | PCI_ACS_DT | PCI_ACS_IB |
+ PCI_ACS_DMAC_RB | PCI_ACS_DMAC_RR |
+ PCI_ACS_UMAC_RB | PCI_ACS_UMAC_RR |
+ PCI_ACS_URRC)) {
pci_err(dev, "Invalid ACS flags specified\n");
return;
}
@@ -1008,6 +1011,14 @@ static void pci_std_enable_acs(struct pci_dev *dev, struct pci_acs *caps)
/* Upstream Forwarding */
caps->ctrl |= (caps->cap & PCI_ACS_UF);
+ /*
+ * Downstream and Upstream Port Memory Target Access Redirect,
+ * Redirect Unclaimed Request Redirect Control
+ */
+ if (caps->cap & PCI_ACS_ECAP)
+ caps->ctrl |= PCI_ACS_DMAC_RR | PCI_ACS_UMAC_RR |
+ PCI_ACS_URRC | PCI_ACS_IB;
+
/* Enable Translation Blocking for external devices and noats */
if (pci_ats_disabled() || dev->external_facing || dev->untrusted)
caps->ctrl |= (caps->cap & PCI_ACS_TB);
diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
index 3add74ae2594..2b026aa91647 100644
--- a/include/uapi/linux/pci_regs.h
+++ b/include/uapi/linux/pci_regs.h
@@ -1011,6 +1011,7 @@
/* Access Control Service */
#define PCI_ACS_CAP 0x04 /* ACS Capability Register */
+#define PCI_ACS_ECAP 0x0080 /* ACS Enhanced Capability */
#define PCI_ACS_SV 0x0001 /* Source Validation */
#define PCI_ACS_TB 0x0002 /* Translation Blocking */
#define PCI_ACS_RR 0x0004 /* P2P Request Redirect */
@@ -1018,6 +1019,12 @@
#define PCI_ACS_UF 0x0010 /* Upstream Forwarding */
#define PCI_ACS_EC 0x0020 /* P2P Egress Control */
#define PCI_ACS_DT 0x0040 /* Direct Translated P2P */
+#define PCI_ACS_IB 0x0080 /* I/O Request Blocking */
+#define PCI_ACS_DMAC_RB 0x0100 /* DSP Memory Target Access Blocking */
+#define PCI_ACS_DMAC_RR 0x0200 /* DSP Memory Target Access Redirect */
+#define PCI_ACS_UMAC_RB 0x0400 /* USP Memory Target Access Blocking */
+#define PCI_ACS_UMAC_RR 0x0800 /* USP Memory Target Access Redirect */
+#define PCI_ACS_URRC 0x1000 /* Unclaimed Request Redirect Ctrl */
#define PCI_ACS_EGRESS_BITS 0x05 /* ACS Egress Control Vector Size */
#define PCI_ACS_CTRL 0x06 /* ACS Control Register */
#define PCI_ACS_EGRESS_CTL_V 0x08 /* ACS Egress Control Vector */
--
2.51.0
Powered by blists - more mailing lists