** Changed in: linux-aws (Ubuntu Focal)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-aws in Ubuntu.
https://bugs.launchpad.net/bugs/1902281
Title:
aws: disable strict IOMMU TLB invalidation by default
Status in linux-aws package in Ubuntu:
New
Status in linux-aws source package in Bionic:
New
Status in linux-aws source package in Focal:
Fix Committed
Status in linux-aws source package in Groovy:
Fix Committed
Bug description:
[Impact]
AWS requires to relax the synchronous IOMMU TLB invalidation by
default to get a significant performance improvement on certain arm64
instance types (bare metal).
This is not the default behavior in the upstream kernel, that enforces
synchronous invalidations to provide a better isolation and
potentially prevent side-channel attacks with malicious devices that
can be registered in the same IOMMU domain.
This behavior cannot be changed at run-time and it is available only
via iommu.strict=0|1 (via kernel boot parameters - GRUB).
[Test Case]
It has been performance-tested by AWS.
[Fix]
Change iommu.strict in the kernel to be off by default. It will be
always possible to revert this change and restore the old behavior by
setting iommu.strict=1 in the GRUB parameters (and rebooting).
[Regression Potential]
The only concern about this change is that we are relaxing a security
constraint. After considerable discussion and evaluation (also with
the security team) the conclusion was that this change is not
realistically affecting the particular AWS environment in terms of
security and it can definitely provide a significant performance boost
on certain arm64 instance types.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1902281/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
