[coreboot] DMA protection? [AMD-Vi]

Taiidan at gmx.com Taiidan at gmx.com
Sat Nov 19 21:24:44 CET 2016 

You the man! Very informative >:D


Was the card malicious or just horribly programmed?

How much $$$$ would it run for you fellas to make DMA protection happen?

On 11/15/2016 04:58 PM, Timothy Pearson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/15/2016 03:35 PM,Taiidan at gmx.com  wrote:
>> I have KGPE-d16 with IOMMU/AMD-VI and I was wondering if it would be
>> possible to designate in coreboot certain devices pass-through only to
>> stop them from communicating with the host? If I have to launch a rescue
>> CD or what not then a rogue infected device could do a DMA attack correct?
>>
>> On linux does iommu only isolate from the host devices assigned to a
>> guest? assigned to pcistub? or is there always some level of mediation?
>> My system says "dom0 mode - relaxed" right below the AMDVI messages,
>> what does it mean?
>>
>> Thanks for any replies!
>>
>>
> Coreboot does not currently configure the IOMMU to reject unauthorized
> access; it waits for Linux to start and configure the IOMMU.  By
> default, Linux configures the IOMMU (if present) to only accept access
> to authorised areas of memory*, therefore once Linux starts exploiting
> the system via PCI becomes very difficult.  If you have passed any
> options to Linux regarding the IOMMU (e.g. iommu=soft or iommu=pt), the
> system may have lost this protection, so be careful!
>
> It might be an interesting experiment to configure the IOMMU from within
> coreboot in order to close the small window where a malicious PCI device
> could attack the host.  This is something we'd be willing to consider
> under contract if there's interest.
>
> I hope this helps!
>
> * Both Raptor and other KGPE-D16 users have seen this in action with
> rogue cards -- in particular, one USB 3 card with firmware blobs
> attempted to scan host memory.  When a peripheral misbehaves in this
> manner, you will see messages similar to:
>
> "AMD-Vi: Event logged [IO_PAGE_FAULT device=00.00.0 domain=0x0000
> address=0x0000000000000000 flags=0x0000]"
>
> Each one of those is a peripheral access to main memory that has been
> blocked by the IOMMU.  If you see a lot of these, especially if they
> continue to be generated after bootup, you probably have a buggy or
> malicious PCI device installed.
>
> - -- 
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJYK4TyAAoJEK+E3vEXDOFbJ9sH/3SEQ1eXRmdu9OU9DunssFLU
> tzipT9K5VzJPr4YJr3gAJ7U+hcofWveFRxeK7hdsLJCn4BamhCtCOXVOTR6oG9z7
> dEAHg15k4nF0uent+FXMYjUDjFrpPTV+oJlfuvzhqHPmTQEJ02XuVssoEp5KA06r
> Q0+0ya1Ea1rzXobgF25LVy4jkEMTmynDKsxAyQxPsNzUWH9GRn90h7syP5c7CFKS
> Y2aGEvgnDyuuvH2FYspOkPtZM6tmTtMcwBOfiSTid7YhDWL/G1mTkbvild6M70yv
> MWcG41Pnd6a+JuAoqtRBmh0S9ej8ltZRqGYKQTL1O8ZMTZLak4v95PLS6x4jCH4=
> =Eohg
> -----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161119/e42474ce/attachment.html>

More information about the coreboot mailing list