| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <SI2PR01MB4393B836EA4FEDD1823483BADC94A@SI2PR01MB4393.apcprd01.prod.exchangelabs.com> Date: Fri, 23 Jan 2026 09:49:41 +0800 From: Wei Wang <wei.w.wang@...mail.com> To: bhelgaas@...gle.com, jgg@...dia.com, akpm@...ux-foundation.org, bp@...en8.de, rdunlap@...radead.org, alex@...zbot.org, kevin.tian@...el.com Cc: linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org, wei.w.wang@...mail.com Subject: [PATCH v2 0/2] PCI: Add support for ACS Enhanced Capability This patchset adds support for the Access Control Services (ACS) Enhanced Capability, introduced with PCIe Gen 5. The ACS Enhanced Capability provides additional access control features that improve device isolation — particularly important in virtualization scenarios where devices are passed through to different virtual machines (VMs). Strong isolation is critical to ensure security between devices assigned to different VMs and the host. In Linux, device grouping assumes that devices in separate IOMMU groups are properly isolated. To uphold this assumption, the enhanced ACS controls are enabled by default on hardware that supports the PCI_ACS_ECAP capability. As with other basic ACS access controls, these new controls can be configured via the config_acs= boot parameter. Support for checking the enhanced ACS controls on Root and Downstream Ports has been added to pci_acs_enabled(). On devices that support PCI_ACS_ECAP, these controls must be properly enabled. To maintain compatibility with legacy devices that lack PCI_ACS_ECAP support, pci_acs_enabled() skips the check and logs a warning to indicate that isolation may be incomplete. v1->v2 changes: - Enabled all enhanced ACS controls by default, rather than just Unclaimed Request Redirect (which addressed the primary issue we encountered). - Added checks for enhanced ACS controls on Root and Downstream Ports in pci_acs_enabled() to ensure proper enablement when grouping devices or enabling features such as IOMMU PASID. Thanks to Jason Gunthorpe for reviewing the patchset. Wei Wang (2): PCI: Enable the enhanced ACS controls introduced by PCI_ACS_ECAP PCI: Add the enhanced ACS controls check to pci_acs_flags_enabled() .../admin-guide/kernel-parameters.txt | 23 ++++-- drivers/pci/pci.c | 80 ++++++++++++++++++- include/uapi/linux/pci_regs.h | 7 ++ 3 files changed, 102 insertions(+), 8 deletions(-) base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574 -- 2.51.0
Powered by blists - more mailing lists