On Thu, Jun 12, 2025 at 11:22:39AM -0400, Demi Marie Obenour wrote: > On 6/12/25 06:06, Jan Beulich wrote: > > On 12.06.2025 01:58, Andrew Cooper wrote: > >> 2) Pre-boot DMA Protection. Microsoft consider this a platform feature > >> requiring OEM enablement, and do not consider its absence to be a Secure > >> Boot > >> vulnerability. But, it is less clear what the policy ought to be for Xen > >> booting on a capable system and failing to do a correct live-handover of > >> the > >> IOMMU across ExitBootServices(). > > > > Shouldn't this be another TODO item at the bottom? We don't support yet > > taking > > over when the IOMMUs are already enabled, do we? > > Dasharo supports leaving the IOMMU enabled when transferring to the OS, and > this message was sent from a Qubes OS box booted in this configuration.
"Not explode" doesn't mean it "works" or is "supported". For example there is no guarantee that IOMMU don't get disabled in the process opening a window for an attack. (and I do know this issue is the case) -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
signature.asc
Description: PGP signature
