linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Robin Murphy <robin.murphy@arm.com>
To: Ross Philipson <ross.philipson@oracle.com>,
	linux-kernel@vger.kernel.org, x86@kernel.org,
	iommu@lists.linux-foundation.org,
	linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org
Cc: dpsmith@apertussolutions.com, luto@amacapital.net,
	mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
	kanth.ghatraju@oracle.com, tglx@linutronix.de,
	trenchboot-devel@googlegroups.com
Subject: Re: [PATCH v4 04/14] Documentation/x86: Secure Launch kernel documentation
Date: Thu, 2 Dec 2021 17:26:19 +0000	[thread overview]
Message-ID: <bd677501-bd65-9648-c8f5-1b90983377b5@arm.com> (raw)
In-Reply-To: <1630070917-9896-5-git-send-email-ross.philipson@oracle.com>

On 2021-08-27 14:28, Ross Philipson wrote:
[...]
> +IOMMU Configuration
> +-------------------
> +
> +When doing a Secure Launch, the IOMMU should always be enabled and the drivers
> +loaded. However, IOMMU passthrough mode should never be used. This leaves the
> +MLE completely exposed to DMA after the PMR's [2]_ are disabled. First, IOMMU
> +passthrough should be disabled by default in the build configuration::
> +
> +  "Device Drivers" -->
> +      "IOMMU Hardware Support" -->
> +          "IOMMU passthrough by default [ ]"
> +
> +This unset the Kconfig value CONFIG_IOMMU_DEFAULT_PASSTHROUGH.

Note that the config structure has now changed, and if set, passthrough 
is deselected by choosing a different default domain type.

> +In addition, passthrough must be disabled on the kernel command line when doing
> +a Secure Launch as follows::
> +
> +  iommu=nopt iommu.passthrough=0

This part is a bit silly - those options are literally aliases for the 
exact same thing, and furthermore if the config is already set as 
required then the sole effect either of them will have is to cause "(set 
by kernel command line)" to be printed. There is no value in explicitly 
overriding the default value with the default value - if anyone can 
append an additional "iommu.passthrough=1" (or "iommu=pt") to the end of 
the command line they'll still win.

Robin.

  reply	other threads:[~2021-12-02 17:26 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-27 13:28 [PATCH v4 00/14] x86: Trenchboot secure dynamic launch Linux kernel support Ross Philipson
2021-08-27 13:28 ` [PATCH v4 01/14] x86/boot: Fix memremap of setup_indirect structures Ross Philipson
2021-09-22 12:01   ` Daniel Kiper
2021-08-27 13:28 ` [PATCH v4 02/14] x86/boot: Add setup_indirect support in early_memremap_is_setup_data Ross Philipson
2021-09-22 12:03   ` Daniel Kiper
2021-08-27 13:28 ` [PATCH v4 03/14] x86/boot: Place kernel_info at a fixed offset Ross Philipson
2021-08-27 13:28 ` [PATCH v4 04/14] Documentation/x86: Secure Launch kernel documentation Ross Philipson
2021-12-02 17:26   ` Robin Murphy [this message]
2021-12-03 15:47     ` Ross Philipson
2021-12-03 16:03       ` Robin Murphy
2021-12-03 17:48         ` Ross Philipson
2021-08-27 13:28 ` [PATCH v4 05/14] x86: Secure Launch Kconfig Ross Philipson
2021-08-27 13:28 ` [PATCH v4 06/14] x86: Secure Launch main header file Ross Philipson
2021-08-27 13:28 ` [PATCH v4 07/14] x86: Add early SHA support for Secure Launch early measurements Ross Philipson
2021-08-27 13:28 ` [PATCH v4 08/14] x86: Secure Launch kernel early boot stub Ross Philipson
2021-08-27 13:28 ` [PATCH v4 09/14] x86: Secure Launch kernel late " Ross Philipson
2021-08-27 13:28 ` [PATCH v4 10/14] x86: Secure Launch SMP bringup support Ross Philipson
2021-08-27 13:28 ` [PATCH v4 11/14] kexec: Secure Launch kexec SEXIT support Ross Philipson
2021-08-27 13:28 ` [PATCH v4 12/14] reboot: Secure Launch SEXIT support on reboot paths Ross Philipson
2021-08-27 13:28 ` [PATCH v4 13/14] x86: Secure Launch late initcall platform module Ross Philipson
2021-08-27 13:28 ` [PATCH v4 14/14] tpm: Allow locality 2 to be set when initializing the TPM for Secure Launch Ross Philipson
2021-08-27 13:30   ` Jason Gunthorpe
2021-08-30 19:45     ` Daniel P. Smith
2021-12-01  1:06 ` [PATCH v4 00/14] x86: Trenchboot secure dynamic launch Linux kernel support Paul Moore
2021-12-02 16:09   ` Daniel P. Smith
2021-12-06 20:56     ` Paul Moore
2022-01-21 21:39       ` Paul Moore
2022-02-15 15:50         ` Daniel P. Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bd677501-bd65-9648-c8f5-1b90983377b5@arm.com \
    --to=robin.murphy@arm.com \
    --cc=bp@alien8.de \
    --cc=dpsmith@apertussolutions.com \
    --cc=hpa@zytor.com \
    --cc=iommu@lists.linux-foundation.org \
    --cc=kanth.ghatraju@oracle.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@redhat.com \
    --cc=ross.philipson@oracle.com \
    --cc=tglx@linutronix.de \
    --cc=trenchboot-devel@googlegroups.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).