ACK: [SRU][B/aws, F/aws, G/aws] disable strict IOMMU TLB invalidation by default

Kamal Mostafa kamal at canonical.com
Fri Oct 30 18:49:47 UTC 2020


Thanks for the analysis on this folks.  LGTM.

 -Kamal

Acked-by: Kamal Mostafa <kamal at canonical.com>

On Fri, Oct 30, 2020 at 06:33:38PM +0100, Andrea Righi wrote:
> BugLink: https://bugs.launchpad.net/bugs/1902281
> 
> [Impact]
> 
> AWS requires to relax the synchronous IOMMU TLB invalidation by default
> to get a significant performance improvement on certain arm64 instance
> types (bare metal).
> 
> This is not the default behavior in the upstream kernel, that enforces
> synchronous invalidations to provide a better isolation and potentially
> prevent side-channel attacks with malicious devices that can be
> registered in the same IOMMU domain.
> 
> This behavior cannot be changed at run-time and it is available only via
> iommu.strict=0|1 (via kernel boot parameters - GRUB).
> 
> [Test Case]
> 
> It has been performance-tested by AWS.
> 
> [Fix]
> 
> Change iommu.strict in the kernel to be off by default. It will be
> always possible to revert this change and restore the old behavior by
> setting iommu.strict=1 in the GRUB parameters (and rebooting).
> 
> [Regression Potential]
> 
> The only concern about this change is that we are relaxing a security
> constraint. After considerable discussion and evaluation (also with the
> security team) the conclusion was that this change is not realistically
> affecting the particular AWS environment in terms of security and it can
> definitely provide a significant performance boost on certain arm64
> instance types.
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team



More information about the kernel-team mailing list