[PATCH RFCv1 1/3] PCI: Allow ATS to be always on for CXL.cache capable devices
Alejandro Lucero Palau
alucerop at amd.com
Thu Jan 22 02:24:58 PST 2026
On 1/21/26 13:03, Jason Gunthorpe wrote:
> On Wed, Jan 21, 2026 at 10:03:07AM +0000, Jonathan Cameron wrote:
>> On Wed, 21 Jan 2026 08:01:36 +0000
>> "Tian, Kevin" <kevin.tian at intel.com> wrote:
>>
>>> +Dan. I recalled an offline discussion in which he raised concern on
>>> having the kernel blindly enable ATS for cxl.cache device instead of
>>> creating a knob for admin to configure from userspace (in case
>>> security is viewed more important than functionality, upon allowing
>>> DMA to read data out of CPU caches)...
>>>
>> +CC Linux-cxl
> A cxl.cache device supporting ATS will automatically enable ATS today
> if the kernel option to enable translation is set.
>
> Even if the device is marked untrusted by the PCI layer (eg an
> external port).
>
> Yes this is effectively a security issue, but it is not really a CXL
> specific problem.
>
> We might perfer to not enable ATS for untrusted devices and then fail to
> load drivers for "ats always on" cases.
>
> Or maybe we can enable one of the ATS security features someday,
> though I wonder if those work for CXL..
I raised my concerns about CXL.cache and virtualization at LPC:
https://lpc.events/event/19/contributions/2173/attachments/1842/3940/LPC_2025_CXL_CACHE.pdf
I expose there some concerns, although I admit some could be due to my
twisted understanding of what CXL specs states, but regarding IOMMU/ATS,
my view is ATS is not safe enough ... what I guess is a matter of
opinion (trusted device based on vendor confirming it is an "official"
device not enough for paranoid mode with vendors subjected to
governments "agencies" actions/pressures). But this links to what I
think Jason points out about ATS security features where the IOMMU
hardware can be configured for checking those translated PCIe accesses
as well, if the host owner/admin paranoid mind decides so. With CXL
cache that is not possible since the route is through a different link
and AFAIK, there is no support for something like this by current
implementations. I think it could be implemented without impacting the
gains from CXL.cache, but that is another story.
So, FWIW, I think it should not be enabled by default.
Thank you,
Alejandro
> Jason
>
More information about the linux-arm-kernel
mailing list