Interesting thread. I would like to thank you to all for very/extremely interesting read. And this thread forced me to start thinking/focusing about these problems you have outlined here.
I have no idea how things are handled in Coreboot regarding VT-x and VT-d. I do know how these two HW extensions are handled in UEFI/legacy BIOS. You either enable/disable them, independently, or not. So, if you, for example, do not set VT-x, you are not able to bring any kind of HYP/VMMs, doing true MMU xlation. The same applies for VT-d. If not set, not able to do any IOMMU xlation.
I tried to find in Coreboot 4.4 (from August 2016) both VT-x and VT-d settings, but was not able to find any switches in .config. My question here is: *how HW extensions for INTEL/AMD VT-x and VT-d are handled - enabled/disabled in Coreboot?*
Let me now switch to another part of this thread, main part: BME (Bus Master Enable). This is a different topic, but related to VTs. I would agree with Ron (Minnic) on his comment that minimum of the HW should be configured in Coreboot, so my take on this is that BME should be NOT enabled anyhow, anywhere, and left to actual OS to do this. Since Coreboot is true Linux oriented, I would say that kernel should properly go over PCIe discovery algorithm/PCIe tree discovered and set properly bridges with BME (by configuring kernel .config).
In this lieu, I would like to propose two addendums: one already proposed by several people (Ron): to have added BME algorithm to ram-stage of Coreboot, which will print warnings for any bridge which has BME bit set, and other one: to create critical Bugzilla against Linus's (Torvalds) crew ( kernel.org) to add proper handling of BMEs in kernel.org: https://bugzilla.kernel.org/ .
About security aspects... It is to be taken into the account *AFTER* proposed changes (logical steps), since we divide and conquer, don't we?
Thank you, Zoran
On Mon, Nov 21, 2016 at 10:15 PM, ron minnich rminnich@gmail.com wrote:
On Mon, Nov 21, 2016 at 10:54 AM Rudolf Marek r.marek@assembler.cz wrote:
BME is ignored by Intel integrated graphics - the DMA runs even if the BME is clear (this happens on core i7 chipsets for example) Thus thatswhy it needs RMRR IOMMU range for VGA...
wow. It's amazing how many of the PCI violations I've dealt with over the years have been for intel chips :-)
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot