This repository was archived by the owner on Aug 5, 2022. It is now read-only.
This repository was archived by the owner on Aug 5, 2022. It is now read-only.
Add support for IOMMU protection #64
Description
Support for IOMMU is planned to be added to the kernel.
User-space should take advantage of it and auto-approve devices if IOMMU protection is enabled and the security level is one of those that requires device authorization.
References:
https://www.spinics.net/lists/linux-pci/msg78204.html
Especially https://www.spinics.net/lists/linux-pci/msg78206.html for the sysfs interface and documentation.
Points I collected for now:
- Add to
tbtacl.rulesa rule to auto-approve if IOMMU enabled.
ACTION=="add", SUBSYSTEM=="thunderbolt", ATTRS{iommu_dma_protection}=="1", ATTR{authorized}=="0", ATTR{authorized}="1"as suggested in the documentation. - Update documentation.
- Do we need another rule for
ACTION=="change"too?
I expect it to be needed, if a long chain of devices is connected and we auto-approve them it still takes some time and the approve onaddfor the last device may fail, the same as can happen with auto-approval based on ACL records. - Do we have any place this mode should be reported to the user? Maybe mentioning it to the users when they try to run
approve-all, the same as done today for SLs other thanuserandsecure.