On 11/22/2016 12:48 AM, Zoran Stojsavljevic wrote:

Interesting thread. I would like to thank you to all for very/extremely interesting read. And this thread forced me to start thinking/focusing about these problems you have outlined here.

I have no idea how things are handled in Coreboot regarding VT-x and VT-d. I do know how these two HW extensions are handled in UEFI/legacy BIOS. You either enable/disable them, independently, or not. So, if you, for example, do not set VT-x, you are not able to bring any kind of HYP/VMMs, doing true MMU xlation. The same applies for VT-d. If not set, not able to do any IOMMU xlation.

I tried to find in Coreboot 4.4 (from August 2016) both VT-x and VT-d settings, but was not able to find any switches in .config. My question here is: *how HW extensions for INTEL/AMD VT-x and VT-d are handled - enabled/disabled in Coreboot?*

Let me now switch to another part of this thread, main part: BME (Bus Master Enable). This is a different topic, but related to VTs. I would agree with Ron (Minnic) on his comment that minimum of the HW should be configured in Coreboot, so my take on this is that BME should be NOT enabled anyhow, anywhere, and left to actual OS to do this. Since Coreboot is true Linux oriented, I would say that kernel should properly go over PCIe discovery algorithm/PCIe tree discovered and set properly bridges with BME (by configuring kernel .config).

In this lieu, I would like to propose two addendums: one already proposed by several people (Ron): to have added BME algorithm to ram-stage of Coreboot, which will print warnings for any bridge which has BME bit set, and other one: to create critical Bugzilla against Linus's (Torvalds) crew ( kernel.org) to add proper handling of BMEs in kernel.org: https://bugzilla.kernel.org/ .

About security aspects... It is to be taken into the account *AFTER* proposed changes (logical steps), since we divide and conquer, don't we?

Thank you, Zoran

On Mon, Nov 21, 2016 at 10:15 PM, ron minnich <rminnic

Yes! thank you to all for an excellent thread. It has been very informative.

With a normal bios the gui simply sets CMOS settings, and in coreboot we currently have no gui so we must set them with "nvramcui" or in the cmos.defaults at compile time (file in the motherboard folder) coreboot/src/mainboard/asus/kgpe-d16 And here we set: iommu = Enable

There however is not one for HVM as far as I can tell.

I propose not referring to IOMMU as the intel branded "VT-d", I have encountered many people who think that it is an intel technology and that no other company has an equivalent (lol).