On my device, when running fwupdmgr security, the only thing missing to reach HSI:3 was IOMMU, which was reported as Not found.
Looking online how to enable it, I found that I had to enable Intel VT-d in the BIOS, and add the kernel argument intel_iommu=on (for Intel processors). The BIOS setting was already enabled; I added the kernel argument, and now fwupdmgr security successfully reports IOMMU as Enabled, and HSI:3.
However this procedure raised some questions:
- When searching how to enable the IOMMU, I found mentioned that for AMD processors the kernel parameter to add is
amd_iommu=on. However it seems that now this information is outdated, as that parameter no longer exists: see here for the possible values ofamd_iommu. There isamd_iommu=force_isolationbut I’m not sure if that’s the AMD equivalent ofintel_iommu=on.
On the secureblue documentation both intel_iommu=on and amd_iommu=force_isolation are listed with the same description (“Mitigate DMA attacks by enabling IOMMU”), suggesting to me that they are indeed equivalent.
But the argument amd_iommu=force_isolation is in the list of “Unstable kargs” that “may cause issues on some hardware”. What kind of issues could arise when enabled? Should I want to enable it on AMD hardware?
-
Actually, secureblue lists
iommu=forceandintel_iommu=ontogether as “Mitigate DMA attacks by enabling IOMMU”. So do I actually need both?
I also seeiommu.passthrough=0,iommu.strict=1andefi=disable_early_pci_dmabut I don’t understand what they do and whether I should want them.
What is the difference between the various IOMMU-related kernel arguments, and what happens if I enable some but not all of them? How do the various arguments affect each other?
Can I simply setiommu=forcewithout setting any hardware-specific arguments likeamd_iommuandintel_iommu? -
What about processors from other manufacturers and/or with different architectures?
-
Does the IOMMU usually come enabled by default in Linux distributions?
What are some distributions that have IOMMU enabled by default, without pre-set kernel arguments? (For example I noticed that some distributions have kernel lockdown disabled by default, and the way to enable it is to set a kernel argument, while other distributions come with kernel lockdown enabled by default without having any pre-set kernel argument). -
What happens if in the future the kernel argument that I enabled becomes deprecated? For example if I had had an AMD processor with enabled
amd_iommu=on, what would have happened upon updating to a newer kernel version that no longer supported that argument?
This is why I would prefer to use a distribution that comes with IOMMU enabled by default, instead of having to enable it myself (so that I do not have to constantly worry about my configuration becoming deprecated). -
Since originally
fwupdmgr securityreportedIOMMUasNot found, is it possible that my hardware does not support IOMMU, and enabling it with a kernel argument does nothing, but tricksfwupdinto reporting IOMMU as enabled? Is there a way to verify that I correclty enabled IOMMU?
I hope to get answers that can apply in general to other hardware and software, but in any case my hardware is the laptop HP Probook 450 G8 (Intel processor i7-1165G7), with Fedora Kinoite installed.
In my BIOS the following relevant options are enabled: VTx, VTd, DMA Protection, Pre-boot DMA protection (this one is set to All PCIe devices; the only other possible option is Disable). There is also a setting called Measure additional DMA settings which is disabled by default and I did not enable; the possible values for this setting are Disable, PCR1, PCR7. I do not know what it is; the description says: “When enabled, includes the state of Virtualization Technology (VTx), Virtualization Technology for Directed I/O (VTd), and the Pre-Boot DMA Protection settings into the measurement for the specified PCR”.