On Tue, Dec 3, 2019 at 5:38 AM Laszlo Ersek <lersek@xxxxxxxxxx> wrote: > (2) I'm not 100% convinced this threat model -- I hope I'm using the > right term -- is useful. A PCI device will likely not "itself" set up > DMA (maliciously or not) without a matching driver. A malicious PCI device can absolutely set up DMA itself without a matching driver. There's a couple of cases: 1) A device that's entirely under the control of an attacker. Using external Thunderbolt devices to overwrite OS data has been demonstrated on multiple occasions. 2) A device that's been compromised in some way. The UEFI driver is a long way from the only software that's related to the device - discrete GPUs boot themselves even in the absence of a driver, and if that on-board code can be compromised in any persistent way then they can be used to attack the OS. > Is this a scenario where we trust the device driver that comes from the > device's ROM BAR (let's say after the driver passes Secure Boot > verification and after we measure it into the TPM), but don't trust the > silicon jammed in the motherboard that presents the driver? Yes, though it's not just internal devices that we need to worry about. > (3) I never understood why the default behavior (or rather, "only" > behavior) for system firmware wrt. the IOMMU at EBS was "whitelist > everything". Why not "blacklist everything"? > > I understand the compat perspective, but the OS should at least be able > to request such a full blackout through OsIndications or whatever. (With > the SEV IOMMU driver in OVMF, that's what we do -- we set everything to > encrypted.) I'm working on that, but it would be nice to have an approach for existing systems.