[coreboot] DMA protection? [AMD-Vi]
ron minnich
rminnich at gmail.com
Mon Nov 21 17:16:19 CET 2016
On Mon, Nov 21, 2016 at 7:53 AM Timothy Pearson <
tpearson at raptorengineering.com> wrote:
>
>
> A quick check through the source seems to indicate that the generic
> pci_set_resource function will enable bus mastering on any PCI bridges.
> From that point on, if I'm not mistaken, any malicious device that
> exposed a bridge interface could enable mastering for any logical
> devices behind the bridge and attack the host. Am I missing something?
>
>
probably not. Back in the early days this kind of thing was not an issue.
We've always had to adjust for limits in the kernels we support. We have a
PCI subsystem mainly because, in 2000, linux could not handle an
unconfigured PCI bus -- it interpreted a "0 bar" as meaning "device
disabled by BIOS" -- really!
I suspect the BME enable on bridges was done because Linux or other guests
didn't know how to configure bridges correctly. But Linux and other kernels
are a lot better now than they were; I wonder if we should stop enabling
BME on bridges.
In any event, however, if we make this change it should be done in small
steps, and I think a good first small step is to start with things that
*look* obvious, like the aforementioned NIC. I am going to submit a CL
today to remove BME from that and see how much upset it causes :-)
ron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161121/9b995c24/attachment.html>
More information about the coreboot
mailing list