[x86] intel-iommu: Exclude integrated GPUs by default

- intel-iommu: Add option to exclude integrated GPU only - intel-iommu: Add Kconfig option to exclude iGPU by default - Enable INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF instead of INTEL_IOMMU_DEFAULT_ON
author: Ben Hutchings <ben@decadent.org.uk> 2019-08-21 00:38:30 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2019-08-21 01:21:09 +0100
commit: 154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf (patch)
tree: 6495f525c8ac7e23bdd221feffc7286ccbcbfdd6
parent: 6df8672de991a068a98b9fb90b8c893b9e85e253 (diff)
download: kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.tar.gz
kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.tar.bz2
kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.zip
5 files changed, 176 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 64859288b493..a2168ff8093f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,11 @@ linux (5.2.9-2) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * Partially revert "net: socket: implement 64-bit timestamps"
     (fixes build/test regressions for glibc, qemu, suricata)
+  * [x86] intel-iommu: Exclude integrated GPUs by default:
+    - intel-iommu: Add option to exclude integrated GPU only
+    - intel-iommu: Add Kconfig option to exclude iGPU by default
+    - Enable INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF instead of
+      INTEL_IOMMU_DEFAULT_ON
 
   [ Thomas W ]
   * [x86] Add various laptop modules. (Closes: #932086)
diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config
index 33c40174913a..23b943b52c45 100644
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@@ -832,7 +832,7 @@ CONFIG_TOUCHSCREEN_SURFACE3_SPI=m
 ##
 CONFIG_INTEL_IOMMU=y
 CONFIG_INTEL_IOMMU_SVM=y
-CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF=y
 CONFIG_IRQ_REMAP=y
 
 ##
diff --git a/debian/patches/features/all/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch b/debian/patches/features/all/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
new file mode 100644
index 000000000000..53cd3c914c7c
--- /dev/null
+++ b/debian/patches/features/all/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
@@ -0,0 +1,82 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 21 Aug 2019 00:32:16 +0100
+Subject: intel-iommu: Add Kconfig option to exclude iGPU by default
+Bug-Kali: https://bugs.kali.org/view.php?id=5644
+
+There is still laptop firmware that touches the integrated GPU behind
+the operating system's back, and doesn't say so in the RMRR table.
+Enabling the IOMMU for all devices causes breakage.
+
+Replace CONFIG_INTEL_IOMMU_DEFAULT_ON with a 3-way choice
+corresponding to "on", "off", and "on,intgpu_off".
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/iommu/Kconfig
++++ b/drivers/iommu/Kconfig
+@@ -212,14 +212,28 @@ config INTEL_IOMMU_SVM
+ 	  to access DMA resources through process address space by
+ 	  means of a Process Address Space ID (PASID).
+ 
+-config INTEL_IOMMU_DEFAULT_ON
+-	def_bool y
+-	prompt "Enable Intel DMA Remapping Devices by default"
+-	depends on INTEL_IOMMU
++if INTEL_IOMMU
++
++choice
++	prompt "Default state of Intel DMA Remapping Devices"
++	default INTEL_IOMMU_DEFAULT_ON
+ 	help
+-	  Selecting this option will enable a DMAR device at boot time if
+-	  one is found. If this option is not selected, DMAR support can
+-	  be enabled by passing intel_iommu=on to the kernel.
++	  Choose whether Intel DMA Remapping Devices should be enabled
++	  by default. This can be overridden at boot time using the
++	  intel_iommu= kernel parameter.
++
++config INTEL_IOMMU_DEFAULT_ON
++	bool "Enable"
++
++config INTEL_IOMMU_DEFAULT_ON_INTGPU_OFF
++	bool "Enable, excluding integrated GPU"
++
++config INTEL_IOMMU_DEFAULT_OFF
++	bool "Disable"
++
++endchoice
++
++endif
+ 
+ config INTEL_IOMMU_BROKEN_GFX_WA
+ 	bool "Workaround broken graphics drivers (going away soon)"
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -346,17 +346,13 @@ static void domain_context_clear(struct
+ static int domain_detach_iommu(struct dmar_domain *domain,
+ 			       struct intel_iommu *iommu);
+ 
+-#ifdef CONFIG_INTEL_IOMMU_DEFAULT_ON
+-int dmar_disabled = 0;
+-#else
+-int dmar_disabled = 1;
+-#endif /*CONFIG_INTEL_IOMMU_DEFAULT_ON*/
++int dmar_disabled = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_OFF);
+ 
+ int intel_iommu_enabled = 0;
+ EXPORT_SYMBOL_GPL(intel_iommu_enabled);
+ 
+ static int dmar_map_gfx = 1;
+-static int dmar_map_intgpu = 1;
++static int dmar_map_intgpu = IS_ENABLED(CONFIG_INTEL_IOMMU_DEFAULT_ON);
+ static int dmar_forcedac;
+ static int intel_iommu_strict;
+ static int intel_iommu_superpage = 1;
+@@ -437,6 +433,7 @@ static int __init intel_iommu_setup(char
+ 	while (*str) {
+ 		if (!strncmp(str, "on", 2)) {
+ 			dmar_disabled = 0;
++			dmar_map_intgpu = 1;
+ 			pr_info("IOMMU enabled\n");
+ 		} else if (!strncmp(str, "off", 3)) {
+ 			dmar_disabled = 1;
diff --git a/debian/patches/features/all/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch b/debian/patches/features/all/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
new file mode 100644
index 000000000000..1696d473050a
--- /dev/null
+++ b/debian/patches/features/all/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
@@ -0,0 +1,86 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 21 Aug 2019 00:05:30 +0100
+Subject: intel-iommu: Add option to exclude integrated GPU only
+Bug-Kali: https://bugs.kali.org/view.php?id=5644
+
+There is still laptop firmware that touches the integrated GPU behind
+the operating system's back, and doesn't say so in the RMRR table.
+Enabling the IOMMU for all devices causes breakage, but turning it off
+for all graphics devices seems like a major weakness.
+
+Add an option, intel_iommu=igpu_off, to exclude only integrated GPUs
+from remapping.  This is a narrower exclusion than igfx_off: it only
+affects Intel devices on the root bus.  Devices attached through an
+external port (Thunderbolt or ExpressCard) won't be on the root bus.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -52,6 +52,9 @@
+ #define CONTEXT_SIZE		VTD_PAGE_SIZE
+ 
+ #define IS_GFX_DEVICE(pdev) ((pdev->class >> 16) == PCI_BASE_CLASS_DISPLAY)
++#define IS_INTGPU_DEVICE(pdev) (IS_GFX_DEVICE(pdev) &&		\
++				(pdev)->vendor == 0x8086 &&	\
++				pci_is_root_bus((pdev)->bus))
+ #define IS_USB_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_SERIAL_USB)
+ #define IS_ISA_DEVICE(pdev) ((pdev->class >> 8) == PCI_CLASS_BRIDGE_ISA)
+ #define IS_AZALIA(pdev) ((pdev)->vendor == 0x8086 && (pdev)->device == 0x3a3e)
+@@ -353,6 +356,7 @@ int intel_iommu_enabled = 0;
+ EXPORT_SYMBOL_GPL(intel_iommu_enabled);
+ 
+ static int dmar_map_gfx = 1;
++static int dmar_map_intgpu = 1;
+ static int dmar_forcedac;
+ static int intel_iommu_strict;
+ static int intel_iommu_superpage = 1;
+@@ -362,6 +366,7 @@ static int iommu_identity_mapping;
+ #define IDENTMAP_ALL		1
+ #define IDENTMAP_GFX		2
+ #define IDENTMAP_AZALIA		4
++#define IDENTMAP_INTGPU		8
+ 
+ #define sm_supported(iommu)	(intel_iommu_sm && ecap_smts((iommu)->ecap))
+ #define pasid_supported(iommu)	(sm_supported(iommu) &&			\
+@@ -440,6 +445,9 @@ static int __init intel_iommu_setup(char
+ 		} else if (!strncmp(str, "igfx_off", 8)) {
+ 			dmar_map_gfx = 0;
+ 			pr_info("Disable GFX device mapping\n");
++		} else if (!strncmp(str, "intgpu_off", 8)) {
++			dmar_map_intgpu = 0;
++			pr_info("Disable integrated GPU device mapping\n");
+ 		} else if (!strncmp(str, "forcedac", 8)) {
+ 			pr_info("Forcing DAC for PCI devices\n");
+ 			dmar_forcedac = 1;
+@@ -2951,6 +2959,9 @@ static int iommu_should_identity_map(str
+ 		if ((iommu_identity_mapping & IDENTMAP_GFX) && IS_GFX_DEVICE(pdev))
+ 			return 1;
+ 
++		if ((iommu_identity_mapping & IDENTMAP_INTGPU) && IS_INTGPU_DEVICE(pdev))
++			return 1;
++
+ 		if (!(iommu_identity_mapping & IDENTMAP_ALL))
+ 			return 0;
+ 
+@@ -3416,6 +3427,9 @@ static int __init init_dmars(void)
+ 	if (!dmar_map_gfx)
+ 		iommu_identity_mapping |= IDENTMAP_GFX;
+ 
++	if (!dmar_map_intgpu)
++		iommu_identity_mapping |= IDENTMAP_INTGPU;
++
+ 	check_tylersburg_isoch();
+ 
+ 	if (iommu_identity_mapping) {
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -1699,6 +1699,8 @@
+ 			bypassed by not enabling DMAR with this option. In
+ 			this case, gfx device will use physical address for
+ 			DMA.
++		intgpu_off [Default Off]
++			Bypass the DMAR unit for an integrated GPU only.
+ 		forcedac [x86_64]
+ 			With this option iommu will not optimize to look
+ 			for io virtual address below 32-bit forcing dual
diff --git a/debian/patches/series b/debian/patches/series
index c1f6046506f9..8c3ec5248f2a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -48,6 +48,8 @@ debian/sched-autogroup-disabled.patch
 debian/yama-disable-by-default.patch
 debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
 features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
+features/all/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
+features/all/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
 
 # Disable autoloading/probing of various drivers by default
 debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
author	Ben Hutchings <ben@decadent.org.uk>	2019-08-21 00:38:30 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2019-08-21 01:21:09 +0100
commit	154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf (patch)
tree	6495f525c8ac7e23bdd221feffc7286ccbcbfdd6
parent	6df8672de991a068a98b9fb90b8c893b9e85e253 (diff)
download	kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.tar.gz kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.tar.bz2 kernel_replicant_linux-154cf246f657fc7d077a9bc0aa31ca4d32cfdeaf.zip