[SRU][B/aws, F/aws, G/aws] disable strict IOMMU TLB invalidation by default
andrea.righi at canonical.com
Fri Oct 30 17:33:38 UTC 2020
AWS requires to relax the synchronous IOMMU TLB invalidation by default
to get a significant performance improvement on certain arm64 instance
types (bare metal).
This is not the default behavior in the upstream kernel, that enforces
synchronous invalidations to provide a better isolation and potentially
prevent side-channel attacks with malicious devices that can be
registered in the same IOMMU domain.
This behavior cannot be changed at run-time and it is available only via
iommu.strict=0|1 (via kernel boot parameters - GRUB).
It has been performance-tested by AWS.
Change iommu.strict in the kernel to be off by default. It will be
always possible to revert this change and restore the old behavior by
setting iommu.strict=1 in the GRUB parameters (and rebooting).
The only concern about this change is that we are relaxing a security
constraint. After considerable discussion and evaluation (also with the
security team) the conclusion was that this change is not realistically
affecting the particular AWS environment in terms of security and it can
definitely provide a significant performance boost on certain arm64
More information about the kernel-team