[PATCH v10 2/2] PCI: Rename pci_dev->untrusted to pci_dev->requires_dma_protection
From: Dmytro Maluka
Date: Mon May 25 2026 - 18:42:20 EST
From: Rajat Jain <rajatja@xxxxxxxxxx>
Rename the field to make it more clear, that the device can execute DMA
attacks on the system, and thus the system needs protection from such
attacks from this device.
No functional change intended.
Signed-off-by: Rajat Jain <rajatja@xxxxxxxxxx>
Reviewed-by: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>
Reviewed-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@xxxxxxxxx>
Signed-off-by: Joshua Peraza <jperaza@xxxxxxxxxx>
Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Dmytro Maluka <dmaluka@xxxxxxxxxxxx>
---
drivers/iommu/amd/iommu.c | 3 +--
drivers/iommu/dma-iommu.c | 16 ++++++++--------
drivers/iommu/intel/iommu.c | 10 +++++-----
drivers/iommu/iommu.c | 5 ++---
drivers/pci/ats.c | 2 +-
drivers/pci/pci-acpi.c | 2 +-
drivers/pci/pci.c | 2 +-
drivers/pci/probe.c | 10 +++++-----
drivers/pci/quirks.c | 4 ++--
include/linux/pci.h | 7 ++++---
10 files changed, 30 insertions(+), 31 deletions(-)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 57dc8fabc7d9..70005fe16e64 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -3133,8 +3133,7 @@ static int amd_iommu_def_domain_type(struct device *dev)
if (!dev_data)
return 0;
- /* Always use DMA domain for untrusted device */
- if (dev_is_pci(dev) && to_pci_dev(dev)->untrusted)
+ if (dev_is_pci(dev) && to_pci_dev(dev)->requires_dma_protection)
return IOMMU_DOMAIN_DMA;
/*
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index 54d96e847f16..63a0b24b24e2 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -588,16 +588,16 @@ static int iova_reserve_iommu_regions(struct device *dev,
return ret;
}
-static bool dev_is_untrusted(struct device *dev)
+static bool dev_requires_dma_protection(struct device *dev)
{
- return dev_is_pci(dev) && to_pci_dev(dev)->untrusted;
+ return dev_is_pci(dev) && to_pci_dev(dev)->requires_dma_protection;
}
static bool dev_use_swiotlb(struct device *dev, size_t size,
enum dma_data_direction dir)
{
return IS_ENABLED(CONFIG_SWIOTLB) &&
- (dev_is_untrusted(dev) ||
+ (dev_requires_dma_protection(dev) ||
dma_kmalloc_needs_bounce(dev, size, dir));
}
@@ -610,7 +610,7 @@ static bool dev_use_sg_swiotlb(struct device *dev, struct scatterlist *sg,
if (!IS_ENABLED(CONFIG_SWIOTLB))
return false;
- if (dev_is_untrusted(dev))
+ if (dev_requires_dma_protection(dev))
return true;
/*
@@ -1183,12 +1183,12 @@ static phys_addr_t iommu_dma_map_swiotlb(struct device *dev, phys_addr_t phys,
attrs);
/*
- * Untrusted devices should not see padding areas with random leftover
- * kernel data, so zero the pre- and post-padding.
+ * Zero the pre- and post-padding to prevent exposing kernel data to devices
+ * requiring DMA protection.
* swiotlb_tbl_map_single() has initialized the bounce buffer proper to
* the contents of the original memory buffer.
*/
- if (phys != (phys_addr_t)DMA_MAPPING_ERROR && dev_is_untrusted(dev)) {
+ if (phys != (phys_addr_t)DMA_MAPPING_ERROR && dev_requires_dma_protection(dev)) {
size_t start, virt = (size_t)phys_to_virt(phys);
/* Pre-padding */
@@ -1761,7 +1761,7 @@ size_t iommu_dma_opt_mapping_size(void)
size_t iommu_dma_max_mapping_size(struct device *dev)
{
- if (dev_is_untrusted(dev))
+ if (dev_requires_dma_protection(dev))
return swiotlb_max_mapping_size(dev);
return SIZE_MAX;
diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 4d0e65bc131d..0c10d48fae6e 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -2487,7 +2487,7 @@ static int __init platform_optin_force_iommu(void)
/*
* If Intel-IOMMU is disabled by default, we will apply identity
- * map for all devices except those marked as being untrusted.
+ * map for all devices except those marked as requiring DMA protection.
*/
if (dmar_disabled)
iommu_set_default_passthrough(false);
@@ -3491,13 +3491,13 @@ static bool intel_iommu_is_attach_deferred(struct device *dev)
}
/*
- * Check that the device does not live on an external facing PCI port that is
- * marked as untrusted. Such devices should not be able to apply quirks and
- * thus not be able to bypass the IOMMU restrictions.
+ * Check that the device does not require DMA protection. Such devices should
+ * not be able to apply quirks and thus not be able to bypass the IOMMU
+ * restrictions.
*/
static bool risky_device(struct pci_dev *pdev)
{
- if (pdev->untrusted) {
+ if (pdev->requires_dma_protection) {
pci_info(pdev,
"Skipping IOMMU quirk for dev [%04X:%04X] on untrusted PCI link\n",
pdev->vendor, pdev->device);
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index d1a9e713d3a0..4614342dc15b 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1902,10 +1902,9 @@ static int iommu_get_default_domain_type(struct iommu_group *group,
driver_type = iommu_get_def_domain_type(group, gdev->dev,
driver_type);
- if (dev_is_pci(gdev->dev) && to_pci_dev(gdev->dev)->untrusted) {
+ if (dev_is_pci(gdev->dev) && to_pci_dev(gdev->dev)->requires_dma_protection) {
/*
- * No ARM32 using systems will set untrusted, it cannot
- * work.
+ * ARM32 systems don't support DMA protection.
*/
if (WARN_ON(IS_ENABLED(CONFIG_ARM_DMA_USE_IOMMU)))
return -1;
diff --git a/drivers/pci/ats.c b/drivers/pci/ats.c
index ec6c8dbdc5e9..8f5ad7122078 100644
--- a/drivers/pci/ats.c
+++ b/drivers/pci/ats.c
@@ -43,7 +43,7 @@ bool pci_ats_supported(struct pci_dev *dev)
if (!dev->ats_cap)
return false;
- return (dev->untrusted == 0);
+ return (dev->requires_dma_protection == 0);
}
EXPORT_SYMBOL_GPL(pci_ats_supported);
diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c
index 9af1bab27841..08a07e02bdf7 100644
--- a/drivers/pci/pci-acpi.c
+++ b/drivers/pci/pci-acpi.c
@@ -1457,7 +1457,7 @@ void pci_acpi_setup(struct device *dev, struct acpi_device *adev)
pci_acpi_optimize_delay(pci_dev, adev->handle);
pci_acpi_set_external_facing(pci_dev);
- pci_dev->untrusted |= pci_dev_has_dma_property(pci_dev);
+ pci_dev->requires_dma_protection |= pci_dev_has_dma_property(pci_dev);
pci_acpi_add_edr_notifier(pci_dev);
pci_acpi_add_pm_notifier(adev, pci_dev);
diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index d34266651ad0..4273c4ab6d9d 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1003,7 +1003,7 @@ static void pci_std_enable_acs(struct pci_dev *dev, struct pci_acs *caps)
caps->ctrl |= (dev->acs_capabilities & PCI_ACS_UF);
/* Enable Translation Blocking for external devices and noats */
- if (pci_ats_disabled() || dev->external_facing || dev->untrusted)
+ if (pci_ats_disabled() || dev->external_facing || dev->requires_dma_protection)
caps->ctrl |= (dev->acs_capabilities & PCI_ACS_TB);
}
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index b63cd0c310bc..060210aaca2e 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1738,7 +1738,7 @@ static void set_pcie_cxl(struct pci_dev *dev)
}
-static void set_pcie_untrusted(struct pci_dev *dev)
+static void pci_set_requires_dma_protection(struct pci_dev *dev)
{
struct pci_dev *parent = pci_upstream_bridge(dev);
@@ -1748,14 +1748,14 @@ static void set_pcie_untrusted(struct pci_dev *dev)
* If the upstream bridge is untrusted we treat this device as
* untrusted as well.
*/
- if (parent->untrusted) {
- dev->untrusted = true;
+ if (parent->requires_dma_protection) {
+ dev->requires_dma_protection = true;
return;
}
if (arch_pci_dev_is_removable(dev)) {
pci_dbg(dev, "marking as untrusted\n");
- dev->untrusted = true;
+ dev->requires_dma_protection = true;
}
}
@@ -2077,7 +2077,7 @@ int pci_setup_device(struct pci_dev *dev)
set_pcie_cxl(dev);
- set_pcie_untrusted(dev);
+ pci_set_requires_dma_protection(dev);
if (pci_is_pcie(dev))
dev->supported_speeds = pcie_get_supported_speeds(dev);
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index caaed1a01dc0..ca7c964b593f 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -5380,7 +5380,7 @@ static void pci_quirk_enable_intel_rp_mpc_acs(struct pci_dev *dev)
* PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF
*
* TODO: This quirk also needs to do equivalent of PCI_ACS_TB,
- * if dev->external_facing || dev->untrusted
+ * if dev->external_facing || dev->requires_dma_protection
*/
static int pci_quirk_enable_intel_pch_acs(struct pci_dev *dev)
{
@@ -5421,7 +5421,7 @@ static int pci_quirk_enable_intel_spt_pch_acs(struct pci_dev *dev)
ctrl |= (cap & PCI_ACS_CR);
ctrl |= (cap & PCI_ACS_UF);
- if (pci_ats_disabled() || dev->external_facing || dev->untrusted)
+ if (pci_ats_disabled() || dev->external_facing || dev->requires_dma_protection)
ctrl |= (cap & PCI_ACS_TB);
pci_write_config_dword(dev, pos + INTEL_SPT_ACS_CTRL, ctrl);
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 2c4454583c11..672577378650 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -485,13 +485,14 @@ struct pci_dev {
unsigned int is_thunderbolt:1; /* Thunderbolt controller */
unsigned int is_cxl:1; /* Compute Express Link (CXL) */
/*
- * Devices marked being untrusted are the ones that can potentially
- * execute DMA attacks and similar. They are typically connected
+ * Devices marked with requires_dma_protection are the ones that can
+ * potentially execute DMA attacks and similar. They are typically connected
* through external ports such as Thunderbolt but not limited to
* that. When an IOMMU is enabled they should be getting full
* mappings to make sure they cannot access arbitrary memory.
*/
- unsigned int untrusted:1;
+ unsigned int requires_dma_protection:1;
+
/*
* Info from the platform, e.g., ACPI or device tree, may mark a
* device as "external-facing". An external-facing device is
--
2.54.0.794.g4f17f83d09-goog