[coreboot] DMA protection? [AMD-Vi]
Kyösti Mälkki
kyosti.malkki at gmail.com
Mon Nov 21 00:49:01 CET 2016
On Mon, Nov 21, 2016 at 1:36 AM, ron minnich <rminnich at gmail.com> wrote:
> The way coreboot has always enforced DMA protections is to not set bus
> master enabling on IO devices. I trust that particular setting a lot more
> than I trust trying to configure an IOMMU, given that such configuration
> seems to require trying to parse ACPI DMAR tables. If you will now tell me
> that some bad IO device might ignore BME, then I would want to know how to
> disable PCI bus mastering in the root complex, but certainly not via the
> IOMMU.
>
>
And just grepping for PCI_COMMAND_MASTER would suggest such enforcing has
completely been forgotten for some years. Like for the UART of
intel/skylake in bootblock already.
Kyösti
> coreboot has always attempted to do absolutely minimal platform
> configuration, just enough so a payload can run. This includes enabling as
> little of the hardware as possible, including IO devices. Every time you
> add in new capabilities such as IOMMU you take the risk of getting it wrong
> and making the system less secure.
>
> Off the type of my head, messing about with the IOMMU in coreboot seems a
> very bad idea.
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161121/4883e8fc/attachment.html>
More information about the coreboot
mailing list