aws: disable strict IOMMU TLB invalidation by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-aws (Ubuntu) |
Fix Released
|
High
|
Andrea Righi | ||
Bionic |
Fix Released
|
High
|
Andrea Righi | ||
Focal |
Fix Released
|
High
|
Andrea Righi | ||
Groovy |
Fix Released
|
High
|
Andrea Righi |
Bug Description
[Impact]
AWS requires to relax the synchronous IOMMU TLB invalidation by default to get a significant performance improvement on certain arm64 instance types (bare metal).
This is not the default behavior in the upstream kernel, that enforces synchronous invalidations to provide a better isolation and potentially prevent side-channel attacks with malicious devices that can be registered in the same IOMMU domain.
This behavior cannot be changed at run-time and it is available only via iommu.strict=0|1 (via kernel boot parameters - GRUB).
[Test Case]
It has been performance-tested by AWS.
[Fix]
Change iommu.strict in the kernel to be off by default. It will be always possible to revert this change and restore the old behavior by setting iommu.strict=1 in the GRUB parameters (and rebooting).
[Regression Potential]
The only concern about this change is that we are relaxing a security constraint. After considerable discussion and evaluation (also with the security team) the conclusion was that this change is not realistically affecting the particular AWS environment in terms of security and it can definitely provide a significant performance boost on certain arm64 instance types.
CVE References
Changed in linux-aws (Ubuntu): | |
importance: | Undecided → High |
Changed in linux-aws (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux-aws (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in linux-aws (Ubuntu Groovy): | |
importance: | Undecided → High |
Changed in linux-aws (Ubuntu): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux-aws (Ubuntu Bionic): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux-aws (Ubuntu Focal): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux-aws (Ubuntu Groovy): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux-aws (Ubuntu Groovy): | |
status: | New → Fix Committed |
Changed in linux-aws (Ubuntu Focal): | |
status: | New → Fix Committed |
Changed in linux-aws (Ubuntu Bionic): | |
status: | New → Fix Committed |
This bug was fixed in the package linux-aws - 5.4.0-1030.31
---------------
linux-aws (5.4.0-1030.31) focal; urgency=medium
* focal/linux-aws: 5.4.0-1030.31 -proposed tracker (LP: #1903158)
* Focal update: v5.4.66 upstream stable release (LP: #1896824) SOFT_SCROLLBACK
- [Config] [aws] updateconfigs for VGACON_
* aws: disable strict IOMMU TLB invalidation by default (LP: #1902281)
- SAUCE: [aws] iommu: set the default iommu-dma mode as non-strict
* AWS: add the nitro_enclaves driver (LP: #1903087)
- cpu/hotplug: Add new {add,remove}_cpu() functions
- [Config][aws] update config for NITRO_ENCLAVES
- nitro_enclaves: Add ioctl interface definition
- nitro_enclaves: Define the PCI device interface
- nitro_enclaves: Define enclave info for internal bookkeeping
- nitro_enclaves: Init PCI device driver
- nitro_enclaves: Handle PCI device command requests
- nitro_enclaves: Handle out-of-band PCI device events
- nitro_enclaves: Init misc device providing the ioctl interface
- nitro_enclaves: Add logic for creating an enclave VM
- nitro_enclaves: Add logic for setting an enclave vCPU
- nitro_enclaves: Add logic for getting the enclave image load info
- nitro_enclaves: Add logic for setting an enclave memory region
- nitro_enclaves: Add logic for starting an enclave
- nitro_enclaves: Add logic for terminating an enclave
- nitro_enclaves: Add Kconfig for the Nitro Enclaves driver
- nitro_enclaves: Add Makefile for the Nitro Enclaves driver
- nitro_enclaves: Add sample for ioctl interface usage
- nitro_enclaves: Add overview documentation
- MAINTAINERS: Add entry for the Nitro Enclaves driver
[ Ubuntu: 5.4.0-55.61 ]
* focal/linux: 5.4.0-55.61 -proposed tracker (LP: #1903175) discard_ bio() for submitting discard bio linux-4. 15.0/fs/ btrfs/ctree. c:3233! (LP: #1902254) free_extent( ) inline_ extent_ backref( )
* Update kernel packaging to support forward porting kernels (LP: #1902957)
- [Debian] Update for leader included in BACKPORT_SUFFIX
* Avoid double newline when running insertchanges (LP: #1903293)
- [Packaging] insertchanges: avoid double newline
* EFI: Fails when BootCurrent entry does not exist (LP: #1899993)
- efivarfs: Replace invalid slashes with exclamation marks in dentries.
* CVE-2020-14351
- perf/core: Fix race in the perf_mmap_close() function
* raid10: Block discard is very slow, causing severe delays for mkfs and
fstrim operations (LP: #1896578)
- md: add md_submit_
- md/raid10: extend r10bio devs to raid disks
- md/raid10: pull codes that wait for blocked dev into one function
- md/raid10: improve raid10 discard request
- md/raid10: improve discard request for far layout
- dm raid: fix discard limits for raid1 and raid10
- dm raid: remove unnecessary discard limits for raid10
* Bionic: btrfs: kernel BUG at /build/linux-
eTBZpZ/
- btrfs: drop unnecessary offset_in_page in extent buffer helpers
- btrfs: extent_io: do extra check for extent buffer read write functions
- btrfs: extent-tree: kill BUG_ON() in __btrfs_
- btrfs: extent-tree: kill the BUG_ON() in insert_
...