Background

iommu.strict=0 was added to the kernel command line of ARM RHEL 8.5 images on AWS to improve I/O performance. BZ1836058
This setting disables synchronous IOMMU TLB invalidations, favoring a "lazy" mode to reduce overhead for high-throughput network workloads. With advancements in the Linux kernel and AWS HW, this optimization may no longer be necessary, and its continued use could pose an unnecessary security risk.

This research ticket aims to:

• Determine if the iommu.strict=0 setting remains a performance benefit for typical workloads on RHEL9 and especially RHEL10 ARM AMIs.
• Evaluate any potential security implications of keeping this setting in modern kernel versions.
• Propose a new default behavior for our AMIs, either by removing the flag or confirming its necessity, to ensure we balance optimal performance with a secure default configuration.

Justification

The decision to include iommu.strict=0 in RHEL 8.5 was a targeted solution for a specific performance BZ. However, kernel development is rapid, and performance bottlenecks that existed in RHEL 8* may have been resolved in later versions. For example, newer kernel versions (RHEL 9 and RHEL 10) may have optimized IOMMU drivers, improved memory management, or introduced new hardware-level mitigations that make this hack redundant.

Continuing to use this setting without re-evaluation could mean we are running an unnecessary security risk. While the risk may be small in our controlled environment, we may prefer avoiding any non-default, security-compromising kernel parameters unless they are strictly needed for performance.

This investigation will ensure that our ARM RHEL AMIs are aligned with the latest kernel development, providing the best possible performance to our customers while maintaining a strong security posture.