[coreboot] DMA protection? [AMD-Vi]
Taiidan at gmx.com
Taiidan at gmx.com
Sat Nov 19 21:24:44 CET 2016
You the man! Very informative >:D
Was the card malicious or just horribly programmed?
How much $$$$ would it run for you fellas to make DMA protection happen?
On 11/15/2016 04:58 PM, Timothy Pearson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 11/15/2016 03:35 PM,Taiidan at gmx.com wrote:
>> I have KGPE-d16 with IOMMU/AMD-VI and I was wondering if it would be
>> possible to designate in coreboot certain devices pass-through only to
>> stop them from communicating with the host? If I have to launch a rescue
>> CD or what not then a rogue infected device could do a DMA attack correct?
>> On linux does iommu only isolate from the host devices assigned to a
>> guest? assigned to pcistub? or is there always some level of mediation?
>> My system says "dom0 mode - relaxed" right below the AMDVI messages,
>> what does it mean?
>> Thanks for any replies!
> Coreboot does not currently configure the IOMMU to reject unauthorized
> access; it waits for Linux to start and configure the IOMMU. By
> default, Linux configures the IOMMU (if present) to only accept access
> to authorised areas of memory*, therefore once Linux starts exploiting
> the system via PCI becomes very difficult. If you have passed any
> options to Linux regarding the IOMMU (e.g. iommu=soft or iommu=pt), the
> system may have lost this protection, so be careful!
> It might be an interesting experiment to configure the IOMMU from within
> coreboot in order to close the small window where a malicious PCI device
> could attack the host. This is something we'd be willing to consider
> under contract if there's interest.
> I hope this helps!
> * Both Raptor and other KGPE-D16 users have seen this in action with
> rogue cards -- in particular, one USB 3 card with firmware blobs
> attempted to scan host memory. When a peripheral misbehaves in this
> manner, you will see messages similar to:
> "AMD-Vi: Event logged [IO_PAGE_FAULT device=00.00.0 domain=0x0000
> address=0x0000000000000000 flags=0x0000]"
> Each one of those is a peripheral access to main memory that has been
> blocked by the IOMMU. If you see a lot of these, especially if they
> continue to be generated after bootup, you probably have a buggy or
> malicious PCI device installed.
> - --
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the coreboot