[coreboot] DMA protection? [AMD-Vi]

Zoran Stojsavljevic zoran.stojsavljevic at gmail.com
Tue Nov 22 06:48:53 CET 2016

Interesting thread. I would like to thank you to all for very/extremely
interesting read. And this thread forced me to start thinking/focusing
about these problems you have outlined here.

I have no idea how things are handled in Coreboot regarding VT-x and VT-d.
I do know how these two HW extensions are handled in UEFI/legacy BIOS. You
either enable/disable them, independently, or not. So, if you, for example,
do not set VT-x, you are not able to bring any kind of HYP/VMMs, doing true
MMU xlation. The same applies for VT-d. If not set, not able to do any
IOMMU xlation.

I tried to find in Coreboot 4.4 (from August 2016) both VT-x and VT-d
settings, but was not able to find any switches in .config. My question
here is: *how HW extensions for INTEL/AMD VT-x and VT-d are handled -
enabled/disabled in Coreboot?*

Let me now switch to another part of this thread, main part: BME (Bus
Master Enable). This is a different topic, but related to VTs. I would
agree with Ron (Minnic) on his comment that minimum of the HW should be
configured in Coreboot, so my take on this is that BME should be NOT
enabled anyhow, anywhere, and left to actual OS to do this. Since Coreboot
is true Linux oriented, I would say that kernel should properly go over
PCIe discovery algorithm/PCIe tree discovered and set properly bridges with
BME (by configuring kernel .config).

In this lieu, I would like to propose two addendums: one already proposed
by several people (Ron): to have added BME algorithm to ram-stage of
Coreboot, which will print warnings for any bridge which has BME bit set,
and other one: to create critical Bugzilla against Linus's (Torvalds) crew (
kernel.org) to add proper handling of BMEs in kernel.org:
https://bugzilla.kernel.org/ .

About security aspects... It is to be taken into the account *AFTER*
proposed changes (logical steps), since we divide and conquer, don't we?

Thank you,

On Mon, Nov 21, 2016 at 10:15 PM, ron minnich <rminnich at gmail.com> wrote:

> On Mon, Nov 21, 2016 at 10:54 AM Rudolf Marek <r.marek at assembler.cz>
> wrote:
>> BME is ignored by Intel integrated graphics - the DMA runs even if the
>> BME is
>> clear (this happens on core i7 chipsets for example) Thus thatswhy it
>> needs RMRR
>> IOMMU range for VGA...
> wow. It's amazing how many of the PCI violations I've dealt with over the
> years have been for intel chips :-)
> --
> coreboot mailing list: coreboot at coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20161122/de6d8611/attachment.html>

More information about the coreboot mailing list