On 12/3/21 11:03, Robin Murphy wrote: > On 2021-12-03 15:47, Ross Philipson wrote: >> On 12/2/21 12:26, Robin Murphy wrote: >>> On 2021-08-27 14:28, Ross Philipson wrote: >>> [...] >>>> +IOMMU Configuration >>>> +------------------- >>>> + >>>> +When doing a Secure Launch, the IOMMU should always be enabled and >>>> the drivers >>>> +loaded. However, IOMMU passthrough mode should never be used. This >>>> leaves the >>>> +MLE completely exposed to DMA after the PMR's [2]_ are disabled. >>>> First, IOMMU >>>> +passthrough should be disabled by default in the build configuration:: >>>> + >>>> + "Device Drivers" --> >>>> + "IOMMU Hardware Support" --> >>>> + "IOMMU passthrough by default [ ]" >>>> + >>>> +This unset the Kconfig value CONFIG_IOMMU_DEFAULT_PASSTHROUGH. >>> >>> Note that the config structure has now changed, and if set, passthrough >>> is deselected by choosing a different default domain type. >> >> Thanks for the heads up. We will have to modify this for how things >> exist today. >> >>> >>>> +In addition, passthrough must be disabled on the kernel command line >>>> when doing >>>> +a Secure Launch as follows:: >>>> + >>>> + iommu=nopt iommu.passthrough=0 >>> >>> This part is a bit silly - those options are literally aliases for the >>> exact same thing, and furthermore if the config is already set as >>> required then the sole effect either of them will have is to cause "(set >>> by kernel command line)" to be printed. There is no value in explicitly >>> overriding the default value with the default value - if anyone can >>> append an additional "iommu.passthrough=1" (or "iommu=pt") to the end of >>> the command line they'll still win. >> >> I feel like when we worked on this, it was still important to set those >> values. This could have been in an older kernel version. We will go back >> and verify what you are saying here and adjust the documentation >> accordingly. >> >> As to anyone just adding values to the command line, that is why the >> command line is part of the DRTM measurements. > > Yeah, I had a vague memory that that was the case - basically if you can > trust the command line as much as the config then it's definitely > redundant to pass an option for this (see iommu_subsys_init() - it's now > all plumbed through iommu_def_domain_type), and if you can't then > passing them is futile anyway. Thanks you for your feedback. Ross > > Cheers, > Robin.
