Hi Over six years ago, support for VFIO without IOMMU was enabled for arm64. This is a breach of the integrity lockdown requirement of secure boot.
VFIO is a framework for handle devices in userspace. To make this safe, an IOMMU is required by default. Without it, user space can write everywhere in memory. The code is still not conditional on lockdown, even if a patch was proposed. I intend to disable this option for all supported kernels. Regards, Bastian -- Spock: The odds of surviving another attack are 13562190123 to 1, Captain.
