IOMMU DMA protection support
Newer hardware will add support for using IOMMU to protect against DMA attacks. The kernel support for this has been posted and will probably land in 4.21.
Support will be indicated via
1 indicating that the system is protected). On such systems the existing security levels are redundant because attack protection is already done the hardware.
domainX/iommu_dma_protectionand expose as as property of
boltctlshould indicate the actual protection in addition to the security level
- device handling for newly connected when iommu is active
auto-enroll new devices (with new
auto-authorize devices with
auto-import new devices (with new
Adjust policy from
IOMMUwhen manually enrolling a device and