Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Early DMA protection not enforced properly on Alderlake and Meteorlake #1922

Open
Lapushy6351 opened this issue Mar 9, 2025 · 3 comments
Open

Early DMA protection not enforced properly on Alderlake and Meteorlake #1922

Lapushy6351 opened this issue Mar 9, 2025 · 3 comments

Comments

@Lapushy6351
Copy link

Lapushy6351 commented Mar 9, 2025
edited
Loading

Hi,

IOMMU It is used to protect against DMA attack in Dasharo + coreboot, does this during system startup.

https://osresearch.net/Heads-threat-model/#peripheral-firmware

https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/#dasharo-security-options

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.

https://github.com/linuxboot/heads/blob/master/config/coreboot-novacustom-nv4x_adl.config#L426

https://github.com/linuxboot/heads/blob/d4c4e5699b89365a88d9d49748dbcc11b6394907/config/coreboot-nitropad-ns50.config#L426

@tlaurion why?
@tlaurion
Copy link
Collaborator

tlaurion commented Mar 9, 2025
edited
Loading

It's not supported because Intel FSP blobs missing requirements, to be troubleshooted and FSP requirements updated, fixed upstream and then downstream under Heads, pointing to new coreboot commit that will include the fix.

Details upstream Dasharo/dasharo-issues#985 (comment)

@tlaurion tlaurion mentioned this issue Mar 9, 2025
Open
@tlaurion tlaurion changed the title IOMMU DMA attack Early DMA protection not enforced properly on Alderlake and Meteorlake Mar 9, 2025
@tlaurion
Copy link
Collaborator

tlaurion commented Mar 9, 2025
edited
Loading

IOMMU It is used to protect against AMD attack in Dasharo + coreboot, does this during system startup.

Not sure about what you meant here @Lapushy6351. AMD? Feel free to edit OP. I think this was autocorrected DMA - >AMD but unsure. Maybe you referred to a vuln for AMD, but here those are Intel platforms. Clarify.

I renamed issue for better tracking and linked to upstream Dasharo coreboot fork's known issue.

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.
Why?

Excerpt :

When setting CONFIG_ENABLE_EARLY_DMA_PROTECTION=y, cannot be applied.

cbmem -1 log with_early_boot_with_vtd_DISABLED_WARNING.log

Excerpt:
[INFO ] VT-d DMA protection disabled by option

Originally posted by @tlaurion in Dasharo/dasharo-issues#985 (comment)

@Lapushy6351
Copy link
Author

It's not supported because Intel FSP blobs missing requirements, to be troubleshooted and FSP requirements updated, fixed upstream and then downstream under Heads, pointing to new coreboot commit that will include the fix.

Details upstream Dasharo/dasharo-issues#985 (comment)

and what are the compatible models or as the identifications?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlaurion @Lapushy6351