On Mon, Jul 06, 2026 at 01:45:33PM -0500, Tom Lendacky wrote:
In that situation, with SME enabled on the host, the SWIOTLB must be
mapped by the kernel without the encryption bit set and DMA addresses
must be provided to devices without the encryption bit set. This is
because if SWIOTLB is mapped encrypted, requiring the encryption bit be
part of the DMA address, any device that cannot perform DMA at the
address width where the encryption bit exists will fail to DMA properly.
Ideally there would be two SWIOTLBs and "decrypted" aka low address,
one is only used if the device requires it.
Alternatively we don't support this questionable security choice and
using swiotlb with an incapable device just fails. Use the iommu, or
don't force swiotlb.
Jason