[coreboot] DMA protection? [AMD-Vi]

Timothy Pearson tpearson at raptorengineering.com
Mon Nov 21 18:33:05 CET 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/21/2016 11:26 AM, ron minnich wrote:
> 
> 
> On Mon, Nov 21, 2016 at 9:21 AM Timothy Pearson
> <tpearson at raptorengineering.com <mailto:tpearson at raptorengineering.com>>
> wrote:
> 
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
> 
>     On 11/21/2016 10:43 AM, ron minnich wrote:
>     > Talidan, just be aware, you can spend the money on enabling IOMMU in
>     > coreboot, but you should not just assumed that it gets upstreamed.
> 
>     That's why I was suggesting we discuss mitigating DMA attacks instead of
>     going after the IOMMU directly.  
> 
> 
> 
> Got it, thanks. So, in a more general case, what can we do to remediate
> such attacks across all the systems we have? And, further, what PCI
> support can we contemplate removing now that kernels are smarter, so as
> to help ensure that we don't accidentally make such attacks possible in
> the future? 
> 
> And, in the age of FSP blobs, what should we check to make sure FSP has
> not accidentally enabled such attacks? 

The first thing I would suggest (per your initial idea) is modifying the
PCI tree walking function in ramstage to read the bus mastering status
of every device, then thrown an alert to the console for each device
that has BM enabled.  That will let us know just how extensive the
problem is, and scary warnings might call greater attention to the problem.

In general, if you have binary blobs in the system such as the FSP, all
bets are off.  Such platforms cannot be trusted in ways that extend far
beyond a DMA attack -- the FSP could, for instance, work in tandem with
an Intel network peripheral and no one would really know about it
outside of Intel.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYMy/RAAoJEK+E3vEXDOFbc5oIAJdLhhyxus9UZK9315H+xohn
8r5yKcI6Wf0vxocbLdAIVrWoyGwQp8bTyLi6rsEecoPbeIUk1g69swq6feZwRqnA
j1caI8r3P839A4QsFBWlBqzspR0+Xr7nTB4o4B/G+GlI4XAEzJ+Y7MPt5Ppks3+C
TSd+n86sVMgQelvc41KzVRsANNzPjqIyUBoW2qs8n2if+1QKsSPmrtVqgdm9x7/N
WyDbzBvwCnDzX5HTXb4bFtHrpkjhFDdSBHPNETpXbvM4NF7fg8SPNVcEkyWnFKph
z9I0R0PVbyY4FSwvoGtFdVnlyAMOXHrmAeyyE9I4WebVd66hyDxqzT5f/ohWrGw=
=3iBo
-----END PGP SIGNATURE-----

More information about the coreboot mailing list