[coreboot] DMA protection? [AMD-Vi]

[Timothy Pearson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/15/2016 03:35 PM, Taiidan at gmx.com wrote:
> I have KGPE-d16 with IOMMU/AMD-VI and I was wondering if it would be
> possible to designate in coreboot certain devices pass-through only to
> stop them from communicating with the host? If I have to launch a rescue
> CD or what not then a rogue infected device could do a DMA attack correct?
>
> On linux does iommu only isolate from the host devices assigned to a
> guest? assigned to pcistub? or is there always some level of mediation?
> My system says "dom0 mode - relaxed" right below the AMDVI messages,
> what does it mean?
>
> Thanks for any replies!
>
>

Coreboot does not currently configure the IOMMU to reject unauthorized
access; it waits for Linux to start and configure the IOMMU.  By
default, Linux configures the IOMMU (if present) to only accept access
to authorised areas of memory*, therefore once Linux starts exploiting
the system via PCI becomes very difficult.  If you have passed any
options to Linux regarding the IOMMU (e.g. iommu=soft or iommu=pt), the
system may have lost this protection, so be careful!

It might be an interesting experiment to configure the IOMMU from within
coreboot in order to close the small window where a malicious PCI device
could attack the host.  This is something we'd be willing to consider
under contract if there's interest.

I hope this helps!

* Both Raptor and other KGPE-D16 users have seen this in action with
rogue cards -- in particular, one USB 3 card with firmware blobs
attempted to scan host memory.  When a peripheral misbehaves in this
manner, you will see messages similar to:

"AMD-Vi: Event logged [IO_PAGE_FAULT device=00.00.0 domain=0x0000
address=0x0000000000000000 flags=0x0000]"

Each one of those is a peripheral access to main memory that has been
blocked by the IOMMU.  If you see a lot of these, especially if they
continue to be generated after bootup, you probably have a buggy or
malicious PCI device installed.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYLLE/AAoJEK+E3vEXDOFbYV4H/RPmG3dXHQMWGVevchuSjP9r
3Xsvr+KTvIzypR0rxtj8WM9qvoHARBgCmIaNgIdvVqdtxPK5YELU8tFZw1KiUotg
sJ5WXNgBHCygR8O3L5i3BhnqztLYlK50Oq2+uj2jG0VoIZeXUALZS1YNno2h4RrW
ot9WRaQR9XWKOf87CpDWyqu+qty/qjsL3Rnx9XaBNzsgcJsP/JPcXLk3jbOgFRVZ
WS3K2/PQrT/B34aicBDXI9QwCpPdwi/RWUToQGBAIqG4Y/ZTfcpFtQrmrMOl6bG0
KAn9SIugIkHKbX394d+uYKJUJQIuSljP8NiyalHfT3gTG6psdiZnC2EeZfj/Ypw=
=aHep
-----END PGP SIGNATURE-----