Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Early DMA protection not enforced properly on Alderlake and Meteorlake #1922

Open
Lapushy6351 opened this issue Mar 9, 2025 · 2 comments
Open

Comments

@Lapushy6351
Copy link

Hi,

IOMMU It is used to protect against AMD attack in Dasharo + coreboot, does this during system startup.

https://osresearch.net/Heads-threat-model/#peripheral-firmware

https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/#dasharo-security-options

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.

https://github.com/linuxboot/heads/blob/master/config/coreboot-novacustom-nv4x_adl.config#L426

https://github.com/linuxboot/heads/blob/d4c4e5699b89365a88d9d49748dbcc11b6394907/config/coreboot-nitropad-ns50.config#L426

@tlaurion why?

@tlaurion
Copy link
Collaborator

tlaurion commented Mar 9, 2025

It's not supported because Intel FSP blobs missing requirements, to be troubleshooted and FSP requirements updated, fixed upstream and then downstream under Heads, pointing to new coreboot commit that will include the fix.

Details upstream Dasharo/dasharo-issues#985 (comment)

@tlaurion tlaurion changed the title IOMMU DMA attack Early DMA protection not enforced properly on Alderlake and Meteorlake Mar 9, 2025
@tlaurion
Copy link
Collaborator

tlaurion commented Mar 9, 2025

IOMMU It is used to protect against AMD attack in Dasharo + coreboot, does this during system startup.

Not sure about what you meant here @Lapushy6351. AMD? Feel free to edit OP. I think this was autocorrected DMA - >AMD but unsure. Maybe you referred to a vuln for AMD, but here those are Intel platforms. Clarify.


I renamed issue for better tracking and linked to upstream Dasharo coreboot fork's known issue.

On Clevo NV41 and Clevo NS50 models this is disabled, and I don't understand why.
Why?

Excerpt :

When setting CONFIG_ENABLE_EARLY_DMA_PROTECTION=y, cannot be applied.

cbmem -1 log with_early_boot_with_vtd_DISABLED_WARNING.log

Excerpt:
[INFO ] VT-d DMA protection disabled by option

Originally posted by @tlaurion in Dasharo/dasharo-issues#985 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants