From: Baolu Lu <baolu.lu@linux.intel.com>
To: "Tian, Kevin" <kevin.tian@intel.com>,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Robin Murphy <robin.murphy@arm.com>
Cc: baolu.lu@linux.intel.com, Joerg Roedel <jroedel@suse.de>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Ashok Raj <ashok.raj@intel.com>,
Chris Wright <chrisw@sous-sol.org>,
Jesse Barnes <jbarnes@virtuousgeek.org>,
"Mallick, Asit K" <asit.k.mallick@intel.com>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 6/9] iommu/vt-d: Call dmar_can_force_on() for tboot optin
Date: Sun, 21 Jun 2026 09:53:36 +0800 [thread overview]
Message-ID: <25bfc4b7-ec84-41f9-a68c-5dda7839320d@linux.intel.com> (raw)
In-Reply-To: <DM6PR11MB3690B5C7395AB982C0AEBA588CE42@DM6PR11MB3690.namprd11.prod.outlook.com>
On 6/17/2026 3:19 PM, Tian, Kevin wrote:
>> From: Baolu Lu <baolu.lu@linux.intel.com>
>> Sent: Friday, June 12, 2026 9:58 PM
>>
>> On 6/4/2026 1:15 PM, Kevin Tian wrote:
>>>
>>> static __init int tboot_force_iommu(void)
>>> {
>>> - if (!tboot_enabled())
>>> + if (!tboot_enabled() || intel_iommu_tboot_noforce)
>>
>> Hmm, it looks a bit strange here. The core design philosophy is that the
>> trusted boot environment takes priority over user options. However,
>
> user options here refer to "iommu=off" or "intel_iommu=off" which
> opts to enable/disable iommu.
>
>> checking intel_iommu_tboot_noforce at the very top means a user
>> option (intel_iommu=tboot_noforce) is successfully overriding tboot.
>
> but tboot_noforce is to specify the forceon policy on tboot. No conflict.
>
>>
>> Is this an exception? If so, it might be worth adding a brief comment
>> clarifying why `tboot_noforce` is allowed to bypass the priority?
>
> so this is irrelevant to the enable/disable priority part.
Okay, that explains.
The "intel_iommu=tboot_noforce" option is used to disable tboot
entirely, which is not part of the enable/disable override. I suppose
tboot_noforce is only designed for debugging purposes, so it should not
be used in a production environment.
Thanks,
baolu
next prev parent reply other threads:[~2026-06-21 1:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 5:15 [PATCH 0/9] iommu/vt-d: Support a new DMAR flag Kevin Tian
2026-06-04 5:15 ` [PATCH 1/9] iommu/vt-d: Fix no_iommu to disable platform optin Kevin Tian
2026-06-04 5:15 ` [PATCH 2/9] iommu/vt-d: Force requesting ACS when tboot is enabled Kevin Tian
2026-06-04 5:15 ` [PATCH 3/9] iommu/vt-d: Remove dead code when CONFIG_INTEL_IOMMU is not set Kevin Tian
2026-06-04 5:15 ` [PATCH 4/9] iommu/vt-d: Consolidate dmar state management and force_on logic Kevin Tian
2026-06-12 11:08 ` Baolu Lu
2026-06-17 7:05 ` Tian, Kevin
2026-06-15 5:00 ` Baolu Lu
2026-06-17 7:14 ` Tian, Kevin
2026-06-21 1:45 ` Baolu Lu
2026-06-04 5:15 ` [PATCH 5/9] iommu/vt-d: Use dmar_can_force_on() for platform optin Kevin Tian
2026-06-12 13:16 ` Baolu Lu
2026-06-17 7:17 ` Tian, Kevin
2026-06-04 5:15 ` [PATCH 6/9] iommu/vt-d: Call dmar_can_force_on() for tboot optin Kevin Tian
2026-06-12 13:57 ` Baolu Lu
2026-06-17 7:19 ` Tian, Kevin
2026-06-21 1:53 ` Baolu Lu [this message]
2026-06-04 5:15 ` [PATCH 7/9] iommu/vt-d: Remove the 'force_on' variable Kevin Tian
2026-06-12 14:16 ` Baolu Lu
2026-06-17 7:22 ` Tian, Kevin
2026-06-04 5:15 ` [PATCH 8/9] iommu/vt-d: Remove dmar_disabled Kevin Tian
2026-06-12 14:26 ` Baolu Lu
2026-06-17 7:23 ` Tian, Kevin
2026-06-04 5:15 ` [PATCH 9/9] iommu/vt-d: Support the new DMA_REMAP_OPT_OUT flag bit Kevin Tian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=25bfc4b7-ec84-41f9-a68c-5dda7839320d@linux.intel.com \
--to=baolu.lu@linux.intel.com \
--cc=ashok.raj@intel.com \
--cc=asit.k.mallick@intel.com \
--cc=chrisw@sous-sol.org \
--cc=iommu@lists.linux.dev \
--cc=jbarnes@virtuousgeek.org \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.