-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/21/2016 10:43 AM, ron minnich wrote:
Talidan, just be aware, you can spend the money on enabling IOMMU in coreboot, but you should not just assumed that it gets upstreamed.
That's why I was suggesting we discuss mitigating DMA attacks instead of going after the IOMMU directly. We have the AMD platform documentation and should be able to properly configure the hardware to reject DMA attacks, even without the IOMMU active, unless AMD inserted a backdoor into the relevant hardware as they have been known to do. At least they have been kind enough to document said backdoors when they are present!
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
On Mon, Nov 21, 2016 at 9:21 AM Timothy Pearson < tpearson@raptorengineering.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/21/2016 10:43 AM, ron minnich wrote:
Talidan, just be aware, you can spend the money on enabling IOMMU in coreboot, but you should not just assumed that it gets upstreamed.
That's why I was suggesting we discuss mitigating DMA attacks instead of going after the IOMMU directly.
Got it, thanks. So, in a more general case, what can we do to remediate such attacks across all the systems we have? And, further, what PCI support can we contemplate removing now that kernels are smarter, so as to help ensure that we don't accidentally make such attacks possible in the future?
And, in the age of FSP blobs, what should we check to make sure FSP has not accidentally enabled such attacks?
-
ron minnich -
Timothy Pearson