Force IOMMU

Question

Force IOMMU

TommyTran732 opened this issue 9 months ago · comments

I noticed that IOMMU settings right now is on instead of forced_isolation on AMD. Is there a reason why we are not forcing it? I don't see the on option for AMD CPUs documented anywhere.

monsieuremre · Answer 1 · Mon Dec 04 2023 03:56:13 GMT+0800 (China Standard Time)

You are right. Created #176 for this.

@adrelanos could you check the request? The current option that is set seems to be completely invalid.

Tommy · Answer 2 · Mon Dec 04 2023 06:55:29 GMT+0800 (China Standard Time)

I hope you can help me understand what is going here because I am very confused.

amd_iommu=forced_isolation -> Force device isolation for all devices. The IOMMU driver is not allowed anymore to lift isolation requirements as needed.

intel_iommu=on -> Enable intel iommu driver.

These don't sound like they are equivalent. One is actually forcing the isolation, the other one is just "enabled". What is the option to force this on Intel? Is it iommu=force?

If so, is the iommu=force relevant for AMD CPUs at all?

Patrick Schleizer · Answer 3 · Mon Dec 04 2023 23:15:09 GMT+0800 (China Standard Time)

Thanks for the report!

I hope you can help me understand what is going here because I am very confused.

These settings are documented here:
https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html

If the equivalent isn't mentioned there, then likely it doesn't exist. To dig deeper, one would have to search existing kernel discussions and/or contact kernel support / development mailing list.

You are right. Created #176 for this.

@adrelanos could you check the request? The current option that is set seems to be completely invalid.

Thanks for the PR!

I am not sure force_enable is the best option.

                        force_enable - Force enable the IOMMU on platforms known
                                       to be buggy with IOMMU enabled. Use this
                                       option with care.

It's already force enabled using iommu=force.

This one seems more appropriate:

                        force_isolation - Force device isolation for all
                                          devices. The IOMMU driver is not
                                          allowed anymore to lift isolation
                                          requirements as needed. This option
                                          does not override iommu=pt

Then it's force enabled and also "is not allowed anymore to lift isolation requirements as needed".

Patrick Schleizer · Answer 4 · Tue Dec 05 2023 00:05:01 GMT+0800 (China Standard Time)

Original issue resolved. Please open a new ticket should there be something else related to do such as force_enable vs force_isolation.

Tommy · Answer 5 · Tue Dec 05 2023 06:34:11 GMT+0800 (China Standard Time)

@adrelanos

Okay, I might make another issue later. Just dropping this here since it's more detailed than the kernel.org link:

https://docs.kernel.org/6.0/x86/x86_64/boot-options.html#iommu-input-output-memory-management-unit

iommu=force -> Force the use of the hardware IOMMU even when it is not actually needed (e.g. because < 3 GB memory).

I am not sure this actually forces IOMMU to not lift restrictions like forced_isolation either.

Patrick Schleizer · Answer 6 · Tue Dec 05 2023 13:52:33 GMT+0800 (China Standard Time)

I don't think it does because it doesn't say it does. The kernel is developed by different developers. I assume if nobody implemented a comparable feature for Intel or if it's not needed it's simply non-existing. AMD CPUs might have a feature to disable isolation without reboot required. This can only be prevented by using force_isolation. Intel CPUs might not have the feature to disable isolation. Hence there was no point to implement force_isolation. It's a different CPU. It can have different CPU features and kernel implementation. If you look into other CPU architectures (ARM, ...) you might find more discrepancies. I don't think there is much to be surprised about here. For the purpose of security-misc, I will simply trust the kernel manual if there isn't any additional information on the internet. If you want to dig deeper, you need to consult the kernel source code or contact the kernel developers. By reading the comments of the kernel source code for the related keywords, you might already find the answer.