[coreboot] DMA protection? [AMD-Vi]
ron minnich
rminnich at gmail.com
Mon Nov 21 00:36:12 CET 2016
The way coreboot has always enforced DMA protections is to not set bus
master enabling on IO devices. I trust that particular setting a lot more
than I trust trying to configure an IOMMU, given that such configuration
seems to require trying to parse ACPI DMAR tables. If you will now tell me
that some bad IO device might ignore BME, then I would want to know how to
disable PCI bus mastering in the root complex, but certainly not via the
IOMMU.
coreboot has always attempted to do absolutely minimal platform
configuration, just enough so a payload can run. This includes enabling as
little of the hardware as possible, including IO devices. Every time you
add in new capabilities such as IOMMU you take the risk of getting it wrong
and making the system less secure.
Off the type of my head, messing about with the IOMMU in coreboot seems a
very bad idea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161120/490c1bf1/attachment.html>
More information about the coreboot
mailing list