[Deepin-Kernel-SIG] [linux 6.6-y] [Deepin] deepin: arm64: deepin_desktop_defconfig: remove IOMMU_DEFAULT_PASSTHR…

[opsiff]

…OUGH to default

#1335

deepin inclusion
category: other

Removed CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y from defconfig to enforce strict DMA isolation by default.
This change aligns ARM64 desktop kernel configuration with other arch.

The config also affect cix in link [1].

Note that may bring some affect in some phytium FT2000 or Kunpeng 920 device.

Link: #1335
Fixes: 7821b9fb89ca ("add #880 config")
Fixes: ce41a38 ("arm64: Add deepin_arm64_desktop_defconfig")

Summary by Sourcery

Align ARM64 Deepin desktop kernel configuration with stricter default DMA/IOMMU isolation.

Enhancements:

• Remove CONFIG_IOMMU_DEFAULT_PASSTHROUGH from the Deepin ARM64 desktop defconfig to enforce non-passthrough IOMMU behavior by default.

Build:

• Update ARM64 Deepin desktop kernel defconfig to match the default IOMMU policy used on other architectures.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the ARM64 desktop defconfig to remove the default IOMMU passthrough setting, enforcing strict DMA isolation by default and aligning the ARM64 desktop kernel configuration with other architectures.

File-Level Changes

Change	Details	Files
Enforce strict DMA isolation by removing the default IOMMU passthrough configuration from the ARM64 desktop defconfig.	Unset CONFIG_IOMMU_DEFAULT_PASSTHROUGH from the deepin_arm64_desktop_defconfig so devices no longer default to IOMMU passthrough mode. Align the ARM64 desktop kernel configuration with other architectures that already ship without IOMMU_DEFAULT_PASSTHROUGH enabled by default. Implicitly change DMA/IOMMU behavior for affected hardware (e.g., Phytium FT2000 and Kunpeng 920), potentially impacting devices or drivers that relied on passthrough.	arch/arm64/configs/deepin_arm64_desktop_defconfig

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[deepin-ci-robot]

deepin pr auto review

我来帮你分析这个内核配置文件的变更。

1. 语法逻辑分析：

• 这个变更是删除了一行配置项 CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y
• 语法上是正确的，符合内核配置文件的格式要求

2. 代码质量分析：

• 这个变更看起来是合理的，因为默认passthrough模式可能会带来安全风险
• 删除这个配置项会让系统使用更安全的默认IOMMU设置

3. 代码性能分析：

• 删除passthrough模式可能会带来一些性能开销，因为：
  • passthrough模式下，IOMMU不进行地址转换，直接访问物理内存
  • 禁用后，所有DMA操作都需要经过IOMMU的地址转换
• 但这个性能开销通常是可接受的，因为：
  • 现代IOMMU硬件的地址转换性能已经很好
  • 安全性的提升往往比轻微的性能损失更重要

4. 代码安全分析：

• 这是一个很好的安全改进：
  • passthrough模式允许设备直接访问系统内存，存在安全隐患
  • 禁用passthrough后，IOMMU会：
    • 限制设备只能访问分配给它的内存区域
    • 防止恶意设备访问其他内存区域
    • 提供内存隔离和保护
• 这有助于防范：
  • DMA攻击
  • 内存泄露
  • 恶意设备的内存访问

改进建议：

1. 这个变更本身是好的，但建议：

   • 确保相关的驱动程序都正确配置了IOMMU映射
   • 测试关键设备的性能是否在可接受范围内
   • 验证所有设备都能正常工作

2. 如果某些特定设备确实需要passthrough模式，可以考虑：

   • 为这些特定设备单独配置passthrough
   • 而不是全局启用passthrough

3. 建议添加配置注释说明：

   # Disabled IOMMU passthrough for better security
   # CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set
   

总的来说，这是一个很好的安全改进，虽然可能会有轻微的性能影响，但安全性收益远大于性能损失。建议实施这个变更，但需要进行充分的测试以确保系统稳定性。

[Copilot]

Pull request overview

This PR removes CONFIG_IOMMU_DEFAULT_PASSTHROUGH=y from the Deepin ARM64 desktop kernel configuration to enforce strict DMA isolation by default. The change aligns the Deepin ARM64 defconfig with standard kernel security practices and other architecture configurations. The PR description notes potential compatibility impacts on certain Phytium FT2000 and Kunpeng 920 devices.

• Removes IOMMU passthrough mode to enable stricter DMA isolation
• Aligns ARM64 desktop configuration with security best practices

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description mentions this change may affect 'cix' (referencing CIX_DSP_REMOTEPROC and related configs at lines 4074-4077) and certain hardware devices (Phytium FT2000, Kunpeng 920). Consider adding a code comment near the IOMMU configuration section documenting this deliberate removal and any known hardware compatibility considerations, especially since CONFIG_SMMU_BYPASS_DEV=y is still enabled at line 4062 which may provide an alternative bypass mechanism for affected devices.

Suggested change

	CONFIG_IOMMUFD=m
	CONFIG_IOMMUFD=m
	# NOTE: The following IOMMU (SMMU) configuration may affect 'cix' (see CIX_DSP_REMOTEPROC and related configs previously at lines 4074-4077)
	# and certain hardware devices (Phytium FT2000, Kunpeng 920). The deliberate removal of CIX_DSP_REMOTEPROC and related configs
	# may impact compatibility for these devices. However, CONFIG_SMMU_BYPASS_DEV=y is still enabled below, which may provide
	# an alternative bypass mechanism for affected devices. Please review hardware requirements before modifying these options.

[Cryolitia]

LGTM

[Avenger-285714]

1. Suggest testing whether the SoCs FT2000, D3000, and kp920 have issues, as you noted.

2. Since you traced this to a specific commit (an internal 2019 commit and its commit message), please attach that record to the commit description for future reference.

3. For reference, it appears that Ubuntu does not enable this configuration option.

[Avenger-285714]

/approve

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Avenger-285714, Cryolitia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• deepin/OWNERS [Avenger-285714]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[opsiff]

1. Suggest testing whether the SoCs FT2000, D3000, and kp920 have issues, as you noted.
2. Since you traced this to a specific commit (an internal 2019 commit and its commit message), please attach that record to the commit description for future reference.
3. For reference, it appears that Ubuntu does not enable this configuration option.

2. I don`t know anything more because it is init config.
   TITLE: 7821b9fb89ca ("add [Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Revert "drm/amd/display: more liberal vmin/vmax update for freesync" #880 config")

COMMIT_MSG:

add #880 config
Signed-off-by: Caicai [email protected]

DIFF:
https://gist.github.com/opsiff/9d5888868e2cbdd476a250b6f20646fb

[Avenger-285714]

COMMIT_MSG:

add #880 config Signed-off-by: Caicai [email protected]

DIFF: https://gist.github.com/opsiff/9d5888868e2cbdd476a250b6f20646fb

Well.

Nice try — archiving’s not for everybody.

If archiving were a sport, Uniontech/deepin would be on the bench.

Thank Caicai.

[Avenger-285714]

/lgtm