On Thu, 19 Dec 2019 at 04:50, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > > On Wed, Dec 18, 2019 at 9:03 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > > > From: Matthew Garrett <matthewgarrett@xxxxxxxxxx> > > > > Add an option to disable the busmaster bit in the control register on > > all PCI bridges during the invocation of ExitBootServices() and passing > > control to the runtime kernel. System firmware may configure the IOMMU > > to prevent malicious PCI devices from being able to attack the OS via DMA. > > However, since firmware can't guarantee that the OS is IOMMU-aware, it > > will tear down IOMMU configuration when ExitBootServices() is called. > > This leaves a window between where a hostile device could still cause > > damage before Linux configures the IOMMU again. > > > > If CONFIG_EFI_DISABLE_PCI_DMA is enabled or the "efi=disable_pci_dma" > > command line argument is passed, the EFI stub will clear the busmaster > > bit on all PCI bridges before ExitBootServices() completes. This will > > prevent any malicious PCI devices from being able to perform DMA until > > the kernel reenables busmastering after configuring the IOMMU. > > > > This option is disabled when in EFI mixed mode environments (ie, 64-bit > > kernels with a 32-bit EFI implementation), given that the use of EFI > > events is not supported in this case. > > > > This option may cause failures with some poorly behaved hardware and > > should not be enabled without testing. The kernel commandline options > > "efi=disable_pci_dma" or "efi=no_disable_pci_dma" may be used to > > override the default. > > Could this maybe be efi=disable_early_pci_dma? > > As it stands, it reads like busmastering is turned off and stays off, > which is not the case. I'm dreading the silly forum posts saying > "your system is slow, and busmastering is leet, so use > efi=no_disable_pci_dma to allow busmastering and make it OMG fast". > Fair enough. I'll change this to [no_]disable_early_pci_dma (assuming Matthew doesn't object to the exact shade of this bikeshed)
