Early DMA protection not enforced properly on Alderlake and Meteorlake

[Lapushy6351]

Hi,

IOMMU It is used to protect against AMD attack in Dasharo + coreboot, does this during system startup.

https://osresearch.net/Heads-threat-model/#peripheral-firmware

https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/#dasharo-security-options

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.

https://github.com/linuxboot/heads/blob/master/config/coreboot-novacustom-nv4x_adl.config#L426

https://github.com/linuxboot/heads/blob/d4c4e5699b89365a88d9d49748dbcc11b6394907/config/coreboot-nitropad-ns50.config#L426

@tlaurion why?

[tlaurion]

It's not supported because Intel FSP blobs missing requirements, to be troubleshooted and FSP requirements updated, fixed upstream and then downstream under Heads, pointing to new coreboot commit that will include the fix.

Details upstream Dasharo/dasharo-issues#985 (comment)

[tlaurion]

IOMMU It is used to protect against AMD attack in Dasharo + coreboot, does this during system startup.

Not sure about what you meant here @Lapushy6351. AMD? Feel free to edit OP. I think this was autocorrected DMA - >AMD but unsure. Maybe you referred to a vuln for AMD, but here those are Intel platforms. Clarify.

---

I renamed issue for better tracking and linked to upstream Dasharo coreboot fork's known issue.

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.
Why?

Excerpt :

When setting CONFIG_ENABLE_EARLY_DMA_PROTECTION=y, cannot be applied.

cbmem -1 log with_early_boot_with_vtd_DISABLED_WARNING.log

Excerpt:
[INFO ] VT-d DMA protection disabled by option

Originally posted by @tlaurion in Dasharo/dasharo-issues#985 (comment)