On Tue, Jun 25, 2024 at 06:26:00PM +0200, Lukas Wunner wrote: > On Tue, Jun 25, 2024 at 09:01:50PM +0530, Vidya Sagar wrote: > > Add a kernel command-line option 'config_acs' to directly control all the > > ACS bits for specific devices, which allows the operator to setup the > > right level of isolation to achieve the desired P2P configuration. > > An example wouldn't hurt, here and in kernel-parameters.txt. > > > > ACS offers a range of security choices controlling how traffic is > > allowed to go directly between two devices. Some popular choices: > > - Full prevention > > - Translated requests can be direct, with various options > > - Asymmetric direct traffic, A can reach B but not the reverse > > - All traffic can be direct > > Along with some other less common ones for special topologies. > > I'm wondering whether it would make more sense to let users choose > between those "higher-level" options, instead of giving direct access > to bits (and thus risking users to choose an incorrect setting). IMHO, with "higher-level" options will be much more complex to use than simple ACS bits matrix. In any case, the user who will use this feature will need to read PCI spec before. In PCI v6, 13 bits are used for ACS with 8192 possible combinations and it is unlikely to find small set of "definitions" that will fit all cases. Thanks