IOMMU DMA protection support
Newer hardware will add support for using IOMMU to protect against DMA attacks. The kernel support for this has been posted and will probably land in 4.21.
Support will be indicated via /sys/bus/thunderbolt/devices/domainX/iommu_dma_protection
(with 1
indicating that the system is protected). On such systems the existing security levels are redundant because attack protection is already done the hardware.
ToDo:
-
Read domainX/iommu_dma_protection
and expose as as property ofBoltDomain
-
boltctl
should indicate the actual protection in addition to the security level - device handling for newly connected when iommu is active
-
auto-enroll new devices (with new IOMMU
policy) -
auto-authorize devices with IOMMU
policy -
auto-import new devices (with new IOMMU
policy)
-
-
Adjust policy from DEFAULT
toIOMMU
when manually enrolling a device andiommu
is active