Enabled the DMA protection for whole usable memory in coreboot, but as expected every device using/needing DMA now fails, i.e. can't use any USB device or disk 🙃 At least I have a confirmation that the DMA protection works 😄 Now the UEFIPayload needs to handle the allocation of DMA-allowed buffers for those I/O devices.
Yesterday I focused on fixing bugs in the patchsets and hunting down implications which DMA protection has on coreboot and found that PCIe5.0 firmware loading stops working. So I enabled DMA buffer in FSP and use it to fetch the firmware from ME and now it works. Pushing the patches to the new topic now which will aggregate whole effort: https://review.coreboot.org/q/topic:vtd_dma_protection
The problem you're addressing (if any)
A rogue PCIe device may mess up the firmware/OS integrity with DMA transactions. IOMMU should be utilized to protect against such attacks.
Describe the solution you'd like
Configure the firmware to set up IOMMU early in the boot process and make firmware aware of IOMMU protection.
Where is the value to a user, and who might that user be?
Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: