* Joerg Roedel <jroe...@suse.de> wrote:
> On Thu, Apr 27, 2017 at 08:51:42AM +0200, Ingo Molnar wrote:
> > > + tboot_noforce [Default Off]
> > > + Do not force the Intel IOMMU enabled under tboot.
> > > + By default, tboot will force Intel IOMMU on, which
> > > + could harm performance of some high-throughput
> > > + devices like 40GBit network cards, even if identity
> > > + mapping is enabled.
> > > + Note that using this option lowers the security
> > > + provided by tboot because it makes the system
> > > + vulnerable to DMA attacks.
> >
> > So what's the purpose of this kernel option?
> >
> > It sure isn't the proper solution for correctly architectured
> > hardware/firmware
> > (which can just choose not to expose the IOMMU!), and for one-time hacks
> > for
> > special embedded systems or for debugging why not just add an iommu=off
> > option to
> > force it off?
>
> I guess that tboot requires an IOMMU to be present in order to work. It
> will do initial IOMMU setup and hands the hardware over to Linux later
> on.
>
> The problem solved here is that someone wants tboot for security
> reasons, but doesn't want the performance penalty of having the IOMMU
> enabled and can live with the risk of an DMA attack.
Yes, that makes sense - but in this case it would be far more user friendly to
make it a sysctl, not a boot option. This is also much more manageable for
distributions and also allows it to be more easily turned into a security
policy
feature.
New boot options should be for debugging hacks in essence - any serious
hardware
configuration should be done via more user-friendly methods.
Thanks,
Ingo
