From ba8128aa4f9616fce09be935b909ea890f9c590a Mon Sep 17 00:00:00 2001
From: Mika Westerberg <mika.westerberg@linux.intel.com>
Date: Tue, 4 Jun 2024 19:16:18 +0300
Subject: thunderbolt: Add Kconfig option to disable PCIe tunneling

In typical cases PCIe tunneling is needed to make the devices fully
usable for the host system. However, it poses a security issue because
they can also use DMA to access the host memory. We already have two
ways of preventing this, one an IOMMU that is enabled on recent systems
by default and the second is the "authorized" attribute under each
connected device that needs to be written by userspace before a PCIe
tunnel is created. This option adds one more by adding a Kconfig option,
which is enabled by default, that can be used to make kernel binaries
where PCIe tunneling is completely disabled.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
References: https://intel-gfx-ci.01.org/tree/drm-tip/Trybot_134314v1/bat-mtlp-9/boot0.txt
References: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11261
Signed-off-by: Imre Deak <imre.deak@intel.com>
Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240604161618.1958674-1-imre.deak@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
---
 drivers/thunderbolt/Kconfig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'drivers/thunderbolt/Kconfig')

diff --git a/drivers/thunderbolt/Kconfig b/drivers/thunderbolt/Kconfig
index 0abdb69ee9f4..8bf4ecf7f76e 100644
--- a/drivers/thunderbolt/Kconfig
+++ b/drivers/thunderbolt/Kconfig
@@ -18,6 +18,24 @@ menuconfig USB4
 
 if USB4
 
+config USB4_PCIE_TUNNELING
+	bool "Allow PCI Express tunneling over USB4 fabric"
+	depends on PCI
+	default y
+	help
+	  USB4 and Thunderbolt devices typically include PCIe switch
+	  with a number of PCIe endpoints such as USB host controllers,
+	  GPUs and network adapters. These are made available to the
+	  host system through PCIe tunneling. These can use DMA and
+	  therefore have access to the host memory which is typically
+	  guarded by an IOMMU. This option allows disabling PCIe
+	  tunneling completely.
+
+	  For devices to be usable it is recommended to say Y here.
+
+	  Note this only works with systems that use Software Based
+	  Connection Manager (this is most USB4 hosts).
+
 config USB4_DEBUGFS_WRITE
 	bool "Enable write by debugfs to configuration spaces (DANGEROUS)"
 	help
-- 
cgit v1.2.3