APPLIED[B+F/aws]: [SRU][B/aws, F/aws, G/aws] disable strict IOMMU TLB invalidation by default
Kelsey Skunberg
kelsey.skunberg at canonical.com
Fri Nov 6 22:23:34 UTC 2020
Applied to Bionic/aws and Focal/aws. Thank you!
-Kelsey
On 2020-10-30 18:33:38 , Andrea Righi wrote:
> BugLink: https://bugs.launchpad.net/bugs/1902281
>
> [Impact]
>
> AWS requires to relax the synchronous IOMMU TLB invalidation by default
> to get a significant performance improvement on certain arm64 instance
> types (bare metal).
>
> This is not the default behavior in the upstream kernel, that enforces
> synchronous invalidations to provide a better isolation and potentially
> prevent side-channel attacks with malicious devices that can be
> registered in the same IOMMU domain.
>
> This behavior cannot be changed at run-time and it is available only via
> iommu.strict=0|1 (via kernel boot parameters - GRUB).
>
> [Test Case]
>
> It has been performance-tested by AWS.
>
> [Fix]
>
> Change iommu.strict in the kernel to be off by default. It will be
> always possible to revert this change and restore the old behavior by
> setting iommu.strict=1 in the GRUB parameters (and rebooting).
>
> [Regression Potential]
>
> The only concern about this change is that we are relaxing a security
> constraint. After considerable discussion and evaluation (also with the
> security team) the conclusion was that this change is not realistically
> affecting the particular AWS environment in terms of security and it can
> definitely provide a significant performance boost on certain arm64
> instance types.
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list