[coreboot] DMA protection? [AMD-Vi]

[Taiidan at gmx.com]

On 11/22/2016 12:48 AM, Zoran Stojsavljevic wrote:

> Interesting thread. I would like to thank you to all for very/extremely
> interesting read. And this thread forced me to start thinking/focusing
> about these problems you have outlined here.
>
> I have no idea how things are handled in Coreboot regarding VT-x and VT-d.
> I do know how these two HW extensions are handled in UEFI/legacy BIOS. You
> either enable/disable them, independently, or not. So, if you, for example,
> do not set VT-x, you are not able to bring any kind of HYP/VMMs, doing true
> MMU xlation. The same applies for VT-d. If not set, not able to do any
> IOMMU xlation.
>
> I tried to find in Coreboot 4.4 (from August 2016) both VT-x and VT-d
> settings, but was not able to find any switches in .config. My question
> here is: *how HW extensions for INTEL/AMD VT-x and VT-d are handled -
> enabled/disabled in Coreboot?*
>
> Let me now switch to another part of this thread, main part: BME (Bus
> Master Enable). This is a different topic, but related to VTs. I would
> agree with Ron (Minnic) on his comment that minimum of the HW should be
> configured in Coreboot, so my take on this is that BME should be NOT
> enabled anyhow, anywhere, and left to actual OS to do this. Since Coreboot
> is true Linux oriented, I would say that kernel should properly go over
> PCIe discovery algorithm/PCIe tree discovered and set properly bridges with
> BME (by configuring kernel .config).
>
> In this lieu, I would like to propose two addendums: one already proposed
> by several people (Ron): to have added BME algorithm to ram-stage of
> Coreboot, which will print warnings for any bridge which has BME bit set,
> and other one: to create critical Bugzilla against Linus's (Torvalds) crew (
> kernel.org) to add proper handling of BMEs in kernel.org:
> https://bugzilla.kernel.org/ .
>
> About security aspects... It is to be taken into the account *AFTER*
> proposed changes (logical steps), since we divide and conquer, don't we?
>
> Thank you,
> Zoran
>
> On Mon, Nov 21, 2016 at 10:15 PM, ron minnich <rminnic
Yes! thank you to all for an excellent thread. It has been very informative.

With a normal bios the gui simply sets CMOS settings, and in coreboot we 
currently have no gui so we must set them with "nvramcui" or in the 
cmos.defaults at compile time (file in the motherboard folder)
coreboot/src/mainboard/asus/kgpe-d16
And here we set:
iommu = Enable

There however is not one for HVM as far as I can tell.

I propose not referring to IOMMU as the intel branded "VT-d", I have 
encountered many people who think that it is an intel technology and 
that no other company has an equivalent (lol).