Configure early boot DMA protection with IOMMU

[miczyg1]

The problem you're addressing (if any)
A rogue PCIe device may mess up the firmware/OS integrity with DMA transactions. IOMMU should be utilized to protect against such attacks.

Describe the solution you'd like
Configure the firmware to set up IOMMU early in the boot process and make firmware aware of IOMMU protection.

Where is the value to a user, and who might that user be?
#219 (comment)

Describe alternatives you've considered
None

Additional context
None

[miczyg1]

Enabled the DMA protection for whole usable memory in coreboot, but as expected every device using/needing DMA now fails, i.e. can't use any USB device or disk 🙃 At least I have a confirmation that the DMA protection works 😄 Now the UEFIPayload needs to handle the allocation of DMA-allowed buffers for those I/O devices.

[miczyg1]

Here are the patches:
https://review.coreboot.org/c/coreboot/+/68449
https://review.coreboot.org/c/coreboot/+/68450

Next step would be to get IOMMU working in UEFI payload. I think I will reuse this:
https://github.com/tianocore/edk2-platforms/tree/master/Silicon/Intel/IntelSiliconPkg/Feature/VTd/IntelVTdDxe
This should cover everything we need now.

Also worth looking at would be: https://github.com/tianocore/edk2-platforms/tree/master/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity

[miczyg1]

Yesterday I focused on fixing bugs in the patchsets and hunting down implications which DMA protection has on coreboot and found that PCIe5.0 firmware loading stops working. So I enabled DMA buffer in FSP and use it to fetch the firmware from ME and now it works. Pushing the patches to the new topic now which will aggregate whole effort: https://review.coreboot.org/q/topic:vtd_dma_protection

[pietrushnic]

@miczyg1 great news.

[miczyg1]

Sent a patch to gerrit that allows cloning edk2-platform repo https://review.coreboot.org/c/coreboot/+/68872
So that we will be able to include VT-d driver in UEFI payload.

[miczyg1]

PR with Intel VT-d driver integration: Dasharo/edk2#28

[miczyg1]

I also had to do a workaround in the VT-d driver because coreboot already did PCI enumeration and it break dependencies of UEFI: Dasharo/edk2-platforms@3323ed4

[miczyg1]

And the PR with configuration Dasharo/coreboot#250

[rafkoch]

@miczyg1 what are we waiting for in this task, for more than a month, before we move it to the CLOSED status?

[miczyg1]

We would also like to have a setup option to enable/disable DMA protection

[rafkoch]

@miczyg1 for me, this looks like an additional improvement idea that was not in the original scope of issue. Please separate it to the backlog for future releases and link it here. Thank you.

[miczyg1]

There it is: #275

[rafkoch]

Nice, I moved this isssue to DONE column.