monsieuremre
commented
12 months ago You are right. Created #176 for this.
@adrelanos could you check the request? The current option that is set seems to be completely invalid.
Closed TommyTran732 closed 12 months ago
monsieuremre
commented
12 months ago You are right. Created #176 for this.
@adrelanos could you check the request? The current option that is set seems to be completely invalid.
TommyTran732
commented
12 months ago I hope you can help me understand what is going here because I am very confused.
amd_iommu=forced_isolation -> Force device isolation for all devices. The IOMMU driver is not allowed anymore to lift isolation requirements as needed.
intel_iommu=on -> Enable intel iommu driver.
These don't sound like they are equivalent. One is actually forcing the isolation, the other one is just "enabled". What is the option to force this on Intel? Is it iommu=force?
If so, is the iommu=force relevant for AMD CPUs at all?
adrelanos
commented
12 months ago Thanks for the report!
I hope you can help me understand what is going here because I am very confused.
These settings are documented here: https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
If the equivalent isn't mentioned there, then likely it doesn't exist. To dig deeper, one would have to search existing kernel discussions and/or contact kernel support / development mailing list.
You are right. Created #176 for this.
@adrelanos could you check the request? The current option that is set seems to be completely invalid.
Thanks for the PR!
I am not sure force_enable is the best option.
force_enable - Force enable the IOMMU on platforms known
to be buggy with IOMMU enabled. Use this
option with care.It's already force enabled using iommu=force.
This one seems more appropriate:
force_isolation - Force device isolation for all
devices. The IOMMU driver is not
allowed anymore to lift isolation
requirements as needed. This option
does not override iommu=ptThen it's force enabled and also "is not allowed anymore to lift isolation requirements as needed".
adrelanos
commented
12 months ago Original issue resolved. Please open a new ticket should there be something else related to do such as force_enable vs force_isolation.
TommyTran732
commented
12 months ago @adrelanos
Okay, I might make another issue later. Just dropping this here since it's more detailed than the kernel.org link:
https://docs.kernel.org/6.0/x86/x86_64/boot-options.html#iommu-input-output-memory-management-unit
iommu=force -> Force the use of the hardware IOMMU even when it is not actually needed (e.g. because < 3 GB memory).
I am not sure this actually forces IOMMU to not lift restrictions like forced_isolation either.
adrelanos
commented
12 months ago I don't think it does because it doesn't say it does.
The kernel is developed by different developers. I assume if nobody implemented a comparable feature for Intel or if it's not needed it's simply non-existing.
AMD CPUs might have a feature to disable isolation without reboot required. This can only be prevented by using force_isolation. Intel CPUs might not have the feature to disable isolation. Hence there was no point to implement force_isolation.
It's a different CPU. It can have different CPU features and kernel implementation.
If you look into other CPU architectures (ARM, ...) you might find more discrepancies. I don't think there is much to be surprised about here.
For the purpose of security-misc, I will simply trust the kernel manual if there isn't any additional information on the internet. If you want to dig deeper, you need to consult the kernel source code or contact the kernel developers. By reading the comments of the kernel source code for the related keywords, you might already find the answer.
I noticed that IOMMU settings right now is
oninstead offorced_isolationon AMD. Is there a reason why we are not forcing it? I don't see theonoption for AMD CPUs documented anywhere.