From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755623AbdEEG7Z (ORCPT ); Fri, 5 May 2017 02:59:25 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:33999 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753014AbdEEG7Y (ORCPT ); Fri, 5 May 2017 02:59:24 -0400 Date: Fri, 5 May 2017 08:59:20 +0200 From: Ingo Molnar To: Joerg Roedel Cc: Shaohua Li , linux-kernel@vger.kernel.org, gang.wei@intel.com, hpa@linux.intel.com, kernel-team@fb.com, ning.sun@intel.com, srihan@fb.com, alex.eydelberg@intel.com Subject: Re: [PATCH V2] x86/tboot: add an option to disable iommu force on Message-ID: <20170505065920.qagb7qvmr3iryyzj@gmail.com> References: <1c2cadcf5cd7d19cea93c56435610e61b551bd1e.1493223474.git.shli@fb.com> <20170427065142.lnsdegq7zwxacqo2@gmail.com> <20170427084207.GU5077@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170427084207.GU5077@suse.de> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Joerg Roedel wrote: > On Thu, Apr 27, 2017 at 08:51:42AM +0200, Ingo Molnar wrote: > > > + tboot_noforce [Default Off] > > > + Do not force the Intel IOMMU enabled under tboot. > > > + By default, tboot will force Intel IOMMU on, which > > > + could harm performance of some high-throughput > > > + devices like 40GBit network cards, even if identity > > > + mapping is enabled. > > > + Note that using this option lowers the security > > > + provided by tboot because it makes the system > > > + vulnerable to DMA attacks. > > > > So what's the purpose of this kernel option? > > > > It sure isn't the proper solution for correctly architectured hardware/firmware > > (which can just choose not to expose the IOMMU!), and for one-time hacks for > > special embedded systems or for debugging why not just add an iommu=off option to > > force it off? > > I guess that tboot requires an IOMMU to be present in order to work. It > will do initial IOMMU setup and hands the hardware over to Linux later > on. > > The problem solved here is that someone wants tboot for security > reasons, but doesn't want the performance penalty of having the IOMMU > enabled and can live with the risk of an DMA attack. Yes, that makes sense - but in this case it would be far more user friendly to make it a sysctl, not a boot option. This is also much more manageable for distributions and also allows it to be more easily turned into a security policy feature. New boot options should be for debugging hacks in essence - any serious hardware configuration should be done via more user-friendly methods. Thanks, Ingo