Newer hardware will add support for using IOMMU to protect against DMA attacks. The kernel support for this has been posted and will probably land in 4.21.

Support will be indicated via /sys/bus/thunderbolt/devices/domainX/iommu_dma_protection (with 1 indicating that the system is protected). On such systems the existing security levels are redundant because attack protection is already done the hardware.

ToDo:

1. ReaddomainX/iommu_dma_protection and expose as as property of BoltDomain
2. boltctl should indicate the actual protection in addition to the security level
3. device handling for newly connected when iommu is active
   • auto-enroll new devices (with new IOMMU policy)
   • auto-authorize devices with IOMMU policy
   • auto-import new devices (with new IOMMU policy)
4. Adjust policy from DEFAULT to IOMMU when manually enrolling a device and iommu is active