From: Mika Westerberg <mika.westerberg@linux.intel.com>
To: linux-usb@vger.kernel.org
Cc: Michael Jamet <michael.jamet@intel.com>,
Yehezkel Bernat <YehezkelShB@gmail.com>,
Andreas Noever <andreas.noever@gmail.com>,
Lukas Wunner <lukas@wunner.de>,
Mario Limonciello <mario.limonciello@dell.com>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Christian Kellner <christian@kellner.me>,
Len Brown <lenb@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
linux-acpi@vger.kernel.org
Subject: [PATCH 2/6] thunderbolt: Add support for PCIe tunneling disabled (SL5)
Date: Tue, 26 Jan 2021 18:57:19 +0300 [thread overview]
Message-ID: <20210126155723.9388-3-mika.westerberg@linux.intel.com> (raw)
In-Reply-To: <20210126155723.9388-1-mika.westerberg@linux.intel.com>
Recent Intel Thunderbolt firmware connection manager has support for
another security level, SL5, that disables PCIe tunneling. This option
can be turned on from the BIOS.
When this is set the driver exposes a new security level "nopcie" to the
userspace and hides the authorized attribute under connected devices.
While there we also hide it when "dponly" security level is enabled
since it is not really usable in that case anyway.
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
---
Documentation/ABI/testing/sysfs-bus-thunderbolt | 2 ++
Documentation/admin-guide/thunderbolt.rst | 7 +++++++
drivers/thunderbolt/domain.c | 12 +++++++++++-
drivers/thunderbolt/switch.c | 6 +++++-
include/linux/thunderbolt.h | 3 +++
5 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-bus-thunderbolt b/Documentation/ABI/testing/sysfs-bus-thunderbolt
index 581dea95245b..d7f09d011b6d 100644
--- a/Documentation/ABI/testing/sysfs-bus-thunderbolt
+++ b/Documentation/ABI/testing/sysfs-bus-thunderbolt
@@ -85,6 +85,8 @@ Description: This attribute holds current Thunderbolt security level
usbonly Automatically tunnel USB controller of the
connected Thunderbolt dock (and Display Port). All
PCIe links downstream of the dock are removed.
+ nopcie USB4 system where PCIe tunneling is disabled from
+ the BIOS.
======= ==================================================
What: /sys/bus/thunderbolt/devices/.../authorized
diff --git a/Documentation/admin-guide/thunderbolt.rst b/Documentation/admin-guide/thunderbolt.rst
index 0d4348445f91..f18e881373c4 100644
--- a/Documentation/admin-guide/thunderbolt.rst
+++ b/Documentation/admin-guide/thunderbolt.rst
@@ -47,6 +47,9 @@ be DMA masters and thus read contents of the host memory without CPU and OS
knowing about it. There are ways to prevent this by setting up an IOMMU but
it is not always available for various reasons.
+Some USB4 systems have a BIOS setting to disable PCIe tunneling. This is
+treated as another security level (nopcie).
+
The security levels are as follows:
none
@@ -77,6 +80,10 @@ The security levels are as follows:
Display Port in a dock. All PCIe links downstream of the dock are
removed.
+ nopcie
+ PCIe tunneling is disabled/forbidden from the BIOS. Available in some
+ USB4 systems.
+
The current security level can be read from
``/sys/bus/thunderbolt/devices/domainX/security`` where ``domainX`` is
the Thunderbolt domain the host controller manages. There is typically
diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c
index 9ba2181464cc..a1c79c9c4f66 100644
--- a/drivers/thunderbolt/domain.c
+++ b/drivers/thunderbolt/domain.c
@@ -118,6 +118,7 @@ static const char * const tb_security_names[] = {
[TB_SECURITY_SECURE] = "secure",
[TB_SECURITY_DPONLY] = "dponly",
[TB_SECURITY_USBONLY] = "usbonly",
+ [TB_SECURITY_NOPCIE] = "nopcie",
};
static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr,
@@ -243,8 +244,14 @@ static ssize_t deauthorization_show(struct device *dev,
char *buf)
{
const struct tb *tb = container_of(dev, struct tb, dev);
+ bool deauthorization = false;
- return sprintf(buf, "%d\n", !!tb->cm_ops->disapprove_switch);
+ /* Only meaningful if authorization is supported */
+ if (tb->security_level == TB_SECURITY_USER ||
+ tb->security_level == TB_SECURITY_SECURE)
+ deauthorization = !!tb->cm_ops->disapprove_switch;
+
+ return sprintf(buf, "%d\n", deauthorization);
}
static DEVICE_ATTR_RO(deauthorization);
@@ -452,6 +459,9 @@ int tb_domain_add(struct tb *tb)
goto err_ctl_stop;
}
+ tb_dbg(tb, "security level set to %s\n",
+ tb_security_names[tb->security_level]);
+
ret = device_add(&tb->dev);
if (ret)
goto err_ctl_stop;
diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c
index cdba05e72486..60fd92113740 100644
--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -1768,7 +1768,11 @@ static umode_t switch_attr_is_visible(struct kobject *kobj,
struct device *dev = kobj_to_dev(kobj);
struct tb_switch *sw = tb_to_switch(dev);
- if (attr == &dev_attr_device.attr) {
+ if (attr == &dev_attr_authorized.attr) {
+ if (sw->tb->security_level == TB_SECURITY_NOPCIE ||
+ sw->tb->security_level == TB_SECURITY_DPONLY)
+ return 0;
+ } else if (attr == &dev_attr_device.attr) {
if (!sw->device)
return 0;
} else if (attr == &dev_attr_device_name.attr) {
diff --git a/include/linux/thunderbolt.h b/include/linux/thunderbolt.h
index 034dccf93955..659a0a810fa1 100644
--- a/include/linux/thunderbolt.h
+++ b/include/linux/thunderbolt.h
@@ -45,6 +45,8 @@ enum tb_cfg_pkg_type {
* @TB_SECURITY_USBONLY: Only tunnel USB controller of the connected
* Thunderbolt dock (and Display Port). All PCIe
* links downstream of the dock are removed.
+ * @TB_SECURITY_NOPCIE: For USB4 systems this level is used when the
+ * PCIe tunneling is disabled from the BIOS.
*/
enum tb_security_level {
TB_SECURITY_NONE,
@@ -52,6 +54,7 @@ enum tb_security_level {
TB_SECURITY_SECURE,
TB_SECURITY_DPONLY,
TB_SECURITY_USBONLY,
+ TB_SECURITY_NOPCIE,
};
/**
--
2.29.2
next prev parent reply other threads:[~2021-01-26 16:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 15:57 [PATCH 0/6] thunderbolt / ACPI: Add support for USB4 _OSC Mika Westerberg
2021-01-26 15:57 ` [PATCH 1/6] thunderbolt: Fix possible NULL pointer dereference in tb_acpi_add_link() Mika Westerberg
2021-01-28 12:36 ` Mika Westerberg
2021-01-26 15:57 ` Mika Westerberg [this message]
2021-01-26 16:18 ` [PATCH 2/6] thunderbolt: Add support for PCIe tunneling disabled (SL5) Yehezkel Bernat
2021-01-26 16:26 ` Mika Westerberg
2021-01-26 16:29 ` Yehezkel Bernat
2021-01-26 15:57 ` [PATCH 3/6] thunderbolt: Allow disabling XDomain protocol Mika Westerberg
2021-01-26 15:57 ` [PATCH 4/6] ACPI: Execute platform _OSC also with query bit clear Mika Westerberg
2021-01-26 16:25 ` Yehezkel Bernat
2021-01-26 17:21 ` Rafael J. Wysocki
2021-01-26 17:37 ` Limonciello, Mario
2021-01-26 17:42 ` Rafael J. Wysocki
2021-01-26 22:43 ` Limonciello, Mario
2021-01-27 12:49 ` Mika Westerberg
2021-01-27 13:50 ` Rafael J. Wysocki
2021-01-26 15:57 ` [PATCH 5/6] ACPI: Add support for native USB4 control _OSC Mika Westerberg
2021-01-26 17:35 ` Rafael J. Wysocki
2021-01-26 17:46 ` Mika Westerberg
2021-01-26 18:25 ` Rafael J. Wysocki
2021-01-26 18:27 ` Rafael J. Wysocki
2021-01-26 15:57 ` [PATCH 6/6] thunderbolt: Add support for native USB4 _OSC Mika Westerberg
2021-01-26 16:37 ` [PATCH 0/6] thunderbolt / ACPI: Add support for " Yehezkel Bernat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210126155723.9388-3-mika.westerberg@linux.intel.com \
--to=mika.westerberg@linux.intel.com \
--cc=YehezkelShB@gmail.com \
--cc=andreas.noever@gmail.com \
--cc=christian@kellner.me \
--cc=gregkh@linuxfoundation.org \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mario.limonciello@dell.com \
--cc=michael.jamet@intel.com \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).