2 comments:
File src/soc/intel/tigerlake/chip.c:
Patch Set #6, Line 142: if ((pci_read_config32(dev, CAPID0_A) & VTD_DISABLE))
Disabling BME before handing off to OS is guided for Thunderbolt Vt-d security based platform. The implication seems not necessary to implement it if Vt-d is disabled.
We don't lose anything by unconditionally disabling BME. I think it is necessary from a policy perspective. We can err on the conservative side and let the other sw that runs make decisions. I don't think we should be limiting our policy based on VT-d or not.
Patch Set #6, Line 157: clear_tbt_pcie_rp_bme(dev, PCI_DEVICE_ID_INTEL_TGL_TBT_RP3);
As specified in Thunderbolt implementation guide on Vt-d security based platform, the requirement is […]
Thunderbolt has many security vulnerabilities. VT-d is one way to help plug some of those. That is why we should unconditionally disable BME and let the OS make the policy.
To view, visit change 40968. To unsubscribe, or for help writing mail filters, visit settings.