On 11/22/2016 12:48 AM, Zoran Stojsavljevic wrote:
Interesting thread. I would like to thank you to all for very/extremely
interesting read. And this thread forced me to start thinking/focusing
about these problems you have outlined here.
I have no idea how things are handled in Coreboot regarding VT-x and VT-d.
I do know how these two HW extensions are handled in UEFI/legacy BIOS. You
either enable/disable them, independently, or not. So, if you, for example,
do not set VT-x, you are not able to bring any kind of HYP/VMMs, doing true
MMU xlation. The same applies for VT-d. If not set, not able to do any
IOMMU xlation.
I tried to find in Coreboot 4.4 (from August 2016) both VT-x and VT-d
settings, but was not able to find any switches in .config. My question
here is: *how HW extensions for INTEL/AMD VT-x and VT-d are handled -
enabled/disabled in Coreboot?*
Let me now switch to another part of this thread, main part: BME (Bus
Master Enable). This is a different topic, but related to VTs. I would
agree with Ron (Minnic) on his comment that minimum of the HW should be
configured in Coreboot, so my take on this is that BME should be NOT
enabled anyhow, anywhere, and left to actual OS to do this. Since Coreboot
is true Linux oriented, I would say that kernel should properly go over
PCIe discovery algorithm/PCIe tree discovered and set properly bridges with
BME (by configuring kernel .config).
In this lieu, I would like to propose two addendums: one already proposed
by several people (Ron): to have added BME algorithm to ram-stage of
Coreboot, which will print warnings for any bridge which has BME bit set,
and other one: to create critical Bugzilla against Linus's (Torvalds) crew (
kernel.org) to add proper handling of BMEs in kernel.org:
https://bugzilla.kernel.org/ .
About security aspects... It is to be taken into the account *AFTER*
proposed changes (logical steps), since we divide and conquer, don't we?
Thank you,
Zoran
On Mon, Nov 21, 2016 at 10:15 PM, ron minnich <rminnic
Yes! thank you to all for an excellent thread. It has been very informative.
With a normal bios the gui simply sets CMOS settings, and in coreboot we
currently have no gui so we must set them with "nvramcui" or in the
cmos.defaults at compile time (file in the motherboard folder)
coreboot/src/mainboard/asus/kgpe-d16
And here we set:
iommu = Enable
There however is not one for HVM as far as I can tell.
I propose not referring to IOMMU as the intel branded "VT-d", I have
encountered many people who think that it is an intel technology and
that no other company has an equivalent (lol).
--
coreboot mailing list: [email protected]
https://www.coreboot.org/mailman/listinfo/coreboot
