On Mon, Nov 21, 2016 at 1:36 AM, ron minnich <rminn...@gmail.com> wrote:
> The way coreboot has always enforced DMA protections is to not set bus > master enabling on IO devices. I trust that particular setting a lot more > than I trust trying to configure an IOMMU, given that such configuration > seems to require trying to parse ACPI DMAR tables. If you will now tell me > that some bad IO device might ignore BME, then I would want to know how to > disable PCI bus mastering in the root complex, but certainly not via the > IOMMU. > > And just grepping for PCI_COMMAND_MASTER would suggest such enforcing has completely been forgotten for some years. Like for the UART of intel/skylake in bootblock already. Kyösti > coreboot has always attempted to do absolutely minimal platform > configuration, just enough so a payload can run. This includes enabling as > little of the hardware as possible, including IO devices. Every time you > add in new capabilities such as IOMMU you take the risk of getting it wrong > and making the system less secure. > > Off the type of my head, messing about with the IOMMU in coreboot seems a > very bad idea. > > -- > coreboot mailing list: coreboot@coreboot.org > https://www.coreboot.org/mailman/listinfo/coreboot >
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot