ACK: [SRU][B/aws, F/aws, G/aws] disable strict IOMMU TLB invalidation by default

Thadeu Lima de Souza Cascardo cascardo at
Fri Oct 30 18:28:18 UTC 2020

On Fri, Oct 30, 2020 at 06:33:38PM +0100, Andrea Righi wrote:
> BugLink:
> [Impact]
> AWS requires to relax the synchronous IOMMU TLB invalidation by default
> to get a significant performance improvement on certain arm64 instance
> types (bare metal).
> This is not the default behavior in the upstream kernel, that enforces
> synchronous invalidations to provide a better isolation and potentially
> prevent side-channel attacks with malicious devices that can be
> registered in the same IOMMU domain.
> This behavior cannot be changed at run-time and it is available only via
> iommu.strict=0|1 (via kernel boot parameters - GRUB).
> [Test Case]
> It has been performance-tested by AWS.
> [Fix]
> Change iommu.strict in the kernel to be off by default. It will be
> always possible to revert this change and restore the old behavior by
> setting iommu.strict=1 in the GRUB parameters (and rebooting).
> [Regression Potential]
> The only concern about this change is that we are relaxing a security
> constraint. After considerable discussion and evaluation (also with the
> security team) the conclusion was that this change is not realistically
> affecting the particular AWS environment in terms of security and it can
> definitely provide a significant performance boost on certain arm64
> instance types.

For AWS only. VFIO does the right thing and flushes the IOTLB. This will affect
the use of DMA API, but that should be fine on clouds.

Acked-by: Thadeu Lima de Souza Cascardo <cascardo at>

More information about the kernel-team mailing list