On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote:
>Hi,
>
>On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote:
>> Hi
>>
>> Over six years ago, support for VFIO without IOMMU was enabled for
>> arm64. This is a breach of the integrity lockdown requirement of secure
>> boot.
>>
>> VFIO is a framework for handle devices in userspace. To make
>> this safe, an IOMMU is required by default. Without it, user space can
>> write everywhere in memory. The code is still not conditional on
>> lockdown, even if a patch was proposed.
>>
>> I intend to disable this option for all supported kernels.
Definitely.
Nod.
--
Steve McIntyre, Cambridge, UK.
st...@einval.com
The two hard things in computing:
* naming things
* cache invalidation
* off-by-one errors -- Stig Sandbeck Mathisen