From: Ingo Molnar <mingo@kernel.org>
To: Joerg Roedel <jroedel@suse.de>
Cc: Shaohua Li <shli@fb.com>,
linux-kernel@vger.kernel.org, gang.wei@intel.com,
hpa@linux.intel.com, kernel-team@fb.com, ning.sun@intel.com,
srihan@fb.com, alex.eydelberg@intel.com
Subject: Re: [PATCH V2] x86/tboot: add an option to disable iommu force on
Date: Fri, 5 May 2017 08:59:20 +0200 [thread overview]
Message-ID: <20170505065920.qagb7qvmr3iryyzj@gmail.com> (raw)
In-Reply-To: <20170427084207.GU5077@suse.de>
* Joerg Roedel <jroedel@suse.de> wrote:
> On Thu, Apr 27, 2017 at 08:51:42AM +0200, Ingo Molnar wrote:
> > > + tboot_noforce [Default Off]
> > > + Do not force the Intel IOMMU enabled under tboot.
> > > + By default, tboot will force Intel IOMMU on, which
> > > + could harm performance of some high-throughput
> > > + devices like 40GBit network cards, even if identity
> > > + mapping is enabled.
> > > + Note that using this option lowers the security
> > > + provided by tboot because it makes the system
> > > + vulnerable to DMA attacks.
> >
> > So what's the purpose of this kernel option?
> >
> > It sure isn't the proper solution for correctly architectured hardware/firmware
> > (which can just choose not to expose the IOMMU!), and for one-time hacks for
> > special embedded systems or for debugging why not just add an iommu=off option to
> > force it off?
>
> I guess that tboot requires an IOMMU to be present in order to work. It
> will do initial IOMMU setup and hands the hardware over to Linux later
> on.
>
> The problem solved here is that someone wants tboot for security
> reasons, but doesn't want the performance penalty of having the IOMMU
> enabled and can live with the risk of an DMA attack.
Yes, that makes sense - but in this case it would be far more user friendly to
make it a sysctl, not a boot option. This is also much more manageable for
distributions and also allows it to be more easily turned into a security policy
feature.
New boot options should be for debugging hacks in essence - any serious hardware
configuration should be done via more user-friendly methods.
Thanks,
Ingo
next prev parent reply other threads:[~2017-05-05 6:59 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-26 16:18 [PATCH V2] x86/tboot: add an option to disable iommu force on Shaohua Li
2017-04-26 21:59 ` Joerg Roedel
2017-04-27 6:52 ` Ingo Molnar
2017-04-28 22:07 ` Joerg Roedel
2017-04-27 6:51 ` Ingo Molnar
2017-04-27 8:42 ` Joerg Roedel
2017-04-27 14:49 ` Shaohua Li
2017-04-27 15:18 ` Joerg Roedel
2017-04-27 15:41 ` Shaohua Li
2017-04-27 16:04 ` Joerg Roedel
2017-05-05 6:59 ` Ingo Molnar [this message]
2017-05-05 8:40 ` Joerg Roedel
2017-05-06 9:48 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170505065920.qagb7qvmr3iryyzj@gmail.com \
--to=mingo@kernel.org \
--cc=alex.eydelberg@intel.com \
--cc=gang.wei@intel.com \
--cc=hpa@linux.intel.com \
--cc=jroedel@suse.de \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ning.sun@intel.com \
--cc=shli@fb.com \
--cc=srihan@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).