Public bug reported:
[Impact]
AWS requires to relax the synchronous IOMMU TLB invalidation by default
to get a significant performance improvement on certain arm64 instance
types (bare metal).
This is not the default behavior in the upstream kernel, that enforces
synchronous invalidations to provide a better isolation and potentially
prevent side-channel attacks with malicious devices that can be
registered in the same IOMMU domain.
This behavior cannot be changed at run-time and it is available only via
iommu.strict=0|1 (via kernel boot parameters - GRUB).
[Test Case]
It has been performance-tested by AWS.
[Fix]
Change iommu.strict in the kernel to be off by default. It will be
always possible to revert this change and restore the old behavior by
setting iommu.strict=1 in the GRUB parameters (and rebooting).
[Regression Potential]
The only concern about this change is that we are relaxing a security
constraint. After considerable discussion and evaluation (also with the
security team) the conclusion was that this change is not realistically
affecting the particular AWS environment in terms of security and it can
definitely provide a significant performance boost on certain arm64
instance types.
** Affects: linux-aws (Ubuntu)
Importance: High
Assignee: Andrea Righi (arighi)
Status: New
** Affects: linux-aws (Ubuntu Bionic)
Importance: High
Assignee: Andrea Righi (arighi)
Status: New
** Affects: linux-aws (Ubuntu Focal)
Importance: High
Assignee: Andrea Righi (arighi)
Status: New
** Affects: linux-aws (Ubuntu Groovy)
Importance: High
Assignee: Andrea Righi (arighi)
Status: New
** Also affects: linux-aws (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: linux-aws (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: linux-aws (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux-aws (Ubuntu)
Importance: Undecided => High
** Changed in: linux-aws (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux-aws (Ubuntu Focal)
Importance: Undecided => High
** Changed in: linux-aws (Ubuntu Groovy)
Importance: Undecided => High
** Changed in: linux-aws (Ubuntu)
Assignee: (unassigned) => Andrea Righi (arighi)
** Changed in: linux-aws (Ubuntu Bionic)
Assignee: (unassigned) => Andrea Righi (arighi)
** Changed in: linux-aws (Ubuntu Focal)
Assignee: (unassigned) => Andrea Righi (arighi)
** Changed in: linux-aws (Ubuntu Groovy)
Assignee: (unassigned) => Andrea Righi (arighi)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/1902281
Title:
aws: disable strict IOMMU TLB invalidation by default
Status in linux-aws package in Ubuntu:
New
Status in linux-aws source package in Bionic:
New
Status in linux-aws source package in Focal:
New
Status in linux-aws source package in Groovy:
New
Bug description:
[Impact]
AWS requires to relax the synchronous IOMMU TLB invalidation by
default to get a significant performance improvement on certain arm64
instance types (bare metal).
This is not the default behavior in the upstream kernel, that enforces
synchronous invalidations to provide a better isolation and
potentially prevent side-channel attacks with malicious devices that
can be registered in the same IOMMU domain.
This behavior cannot be changed at run-time and it is available only
via iommu.strict=0|1 (via kernel boot parameters - GRUB).
[Test Case]
It has been performance-tested by AWS.
[Fix]
Change iommu.strict in the kernel to be off by default. It will be
always possible to revert this change and restore the old behavior by
setting iommu.strict=1 in the GRUB parameters (and rebooting).
[Regression Potential]
The only concern about this change is that we are relaxing a security
constraint. After considerable discussion and evaluation (also with
the security team) the conclusion was that this change is not
realistically affecting the particular AWS environment in terms of
security and it can definitely provide a significant performance boost
on certain arm64 instance types.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1902281/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
