diff --git a/drivers/thunderbolt/Kconfig b/drivers/thunderbolt/Kconfig
index 0abdb69ee9f437b41b463112910a7b2b61dd0dfa..8bf4ecf7f76eefd7029de2e22482439c6d43ea0c 100644
--- a/drivers/thunderbolt/Kconfig
+++ b/drivers/thunderbolt/Kconfig
@@ -18,6 +18,24 @@ menuconfig USB4
 
 if USB4
 
+config USB4_PCIE_TUNNELING
+	bool "Allow PCI Express tunneling over USB4 fabric"
+	depends on PCI
+	default y
+	help
+	  USB4 and Thunderbolt devices typically include PCIe switch
+	  with a number of PCIe endpoints such as USB host controllers,
+	  GPUs and network adapters. These are made available to the
+	  host system through PCIe tunneling. These can use DMA and
+	  therefore have access to the host memory which is typically
+	  guarded by an IOMMU. This option allows disabling PCIe
+	  tunneling completely.
+
+	  For devices to be usable it is recommended to say Y here.
+
+	  Note this only works with systems that use Software Based
+	  Connection Manager (this is most USB4 hosts).
+
 config USB4_DEBUGFS_WRITE
 	bool "Enable write by debugfs to configuration spaces (DANGEROUS)"
 	help
diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c
index 390abcfe7188240df585249e4d616ed33e4c5c7a..aa4e7a90b84b9db06566735a69c1a17b3e1b31d2 100644
--- a/drivers/thunderbolt/tb.c
+++ b/drivers/thunderbolt/tb.c
@@ -3336,7 +3336,7 @@ struct tb *tb_probe(struct tb_nhi *nhi)
 	if (!tb)
 		return NULL;
 
-	if (tb_acpi_may_tunnel_pcie())
+	if (tb_may_tunnel_pcie())
 		tb->security_level = TB_SECURITY_USER;
 	else
 		tb->security_level = TB_SECURITY_NOPCIE;
diff --git a/drivers/thunderbolt/tb.h b/drivers/thunderbolt/tb.h
index b54147a1ba8778ab88320637988a093e843478ed..d1ce8f1eccf6c1cd06fa6e851ad0bfaadb0bc1a8 100644
--- a/drivers/thunderbolt/tb.h
+++ b/drivers/thunderbolt/tb.h
@@ -1504,6 +1504,15 @@ static inline int tb_acpi_power_on_retimers(struct tb_port *port) { return 0; }
 static inline int tb_acpi_power_off_retimers(struct tb_port *port) { return 0; }
 #endif
 
+static inline bool tb_may_tunnel_pcie(void)
+{
+#ifdef CONFIG_USB4_PCIE_TUNNELING
+	return tb_acpi_may_tunnel_pcie();
+#else
+	return false;
+#endif
+}
+
 #ifdef CONFIG_DEBUG_FS
 void tb_debugfs_init(void);
 void tb_debugfs_exit(void);
diff --git a/drivers/thunderbolt/tunnel.c b/drivers/thunderbolt/tunnel.c
index 8229a6fbda5ab42859b50ba0d1c7cf5bc2e46c21..5f3eff75c202d8e4f4af30637677e16f34b03f3e 100644
--- a/drivers/thunderbolt/tunnel.c
+++ b/drivers/thunderbolt/tunnel.c
@@ -122,7 +122,7 @@ static unsigned int tb_available_credits(const struct tb_port *port,
 	size_t ndp;
 
 	usb3 = tb_acpi_may_tunnel_usb3() ? sw->max_usb3_credits : 0;
-	pcie = tb_acpi_may_tunnel_pcie() ? sw->max_pcie_credits : 0;
+	pcie = tb_may_tunnel_pcie() ? sw->max_pcie_credits : 0;
 
 	if (tb_acpi_is_xdomain_allowed()) {
 		spare = min_not_zero(sw->max_dma_credits, dma_credits);
@@ -479,7 +479,7 @@ bool tb_tunnel_reserved_pci(struct tb_port *port, int *reserved_up,
 	if (WARN_ON_ONCE(!port->remote))
 		return false;
 
-	if (!tb_acpi_may_tunnel_pcie())
+	if (!tb_may_tunnel_pcie())
 		return false;
 
 	if (tb_port_get_link_generation(port) < 4)
@@ -1641,7 +1641,7 @@ static unsigned int tb_dma_available_credits(const struct tb_port *port)
 	int credits;
 
 	credits = tb_available_credits(port, NULL);
-	if (tb_acpi_may_tunnel_pcie())
+	if (tb_may_tunnel_pcie())
 		credits -= sw->max_pcie_credits;
 	credits -= port->dma_credits;
 
@@ -1952,7 +1952,7 @@ static int tb_usb3_consumed_bandwidth(struct tb_tunnel *tunnel,
 		int *consumed_up, int *consumed_down)
 {
 	struct tb_port *port = tb_upstream_port(tunnel->dst_port->sw);
-	int pcie_weight = tb_acpi_may_tunnel_pcie() ? TB_PCI_WEIGHT : 0;
+	int pcie_weight = tb_may_tunnel_pcie() ? TB_PCI_WEIGHT : 0;
 
 	/*
 	 * PCIe tunneling, if enabled, affects the USB3 bandwidth so
diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c
index e51d01671d8e7cb79494df458b7ecade04d3fce6..1b740d7fc7dab0a9fb7817218375ff7d5db3e8e6 100644
--- a/drivers/thunderbolt/usb4.c
+++ b/drivers/thunderbolt/usb4.c
@@ -276,7 +276,7 @@ int usb4_switch_setup(struct tb_switch *sw)
 	 * Only enable PCIe tunneling if the parent router supports it
 	 * and it is not disabled.
 	 */
-	if (tb_acpi_may_tunnel_pcie() &&
+	if (tb_may_tunnel_pcie() &&
 	    tb_switch_find_port(parent, TB_TYPE_PCIE_DOWN)) {
 		val |= ROUTER_CS_5_PTO;
 		/*