Re: [PATCH v2 21/21] efi: Allow disabling PCI busmastering on bridges during boot

Arvind Sankar <nivedita@xxxxxxxxxxxx> · Mon, 23 Dec 2019 10:46:49 -0500

On Mon, Dec 23, 2019 at 03:02:40PM +0100, Ard Biesheuvel wrote:
> 
> Practically, on PCIe systems, PCI/PCI bridges are the only thing we
> need to care about, since that is how PCIe root ports are modelled.

If I'm interpreting my lspci output correctly, I have a PCI/ISA bridge
on bus 0 that's not behind a PCI/PCI bridge. Device 1f.0 below is the
PCI/ISA bridge. Devices 1-3 are the CPU root ports and 1c.* are the
chipset root ports.

Also, what about for eg, the USB or SATA controllers? I know that
someone had said earlier that disabling BM on endpoints is pointless as
malicious endpoints could just re-enable it, but is it not possible for
malicious USB devices/SATA devices to try to use DMA through those
controllers? ie if we trust the controllers since they're on-board, but
not necessarily the devices behind them, wouldn't it still be worth it
to disable BM on the controllers too?

$ lspci -tv -s 0:0:
-[0000:00]-+-00.0  Intel Corporation Xeon E7 v4/Xeon E5 v4/Xeon E3 v4/Xeon D DMI2
           +-01.0-[01]--
           +-01.1-[02]--
           +-02.0-[03]--
           +-02.2-[04]--
           +-03.0-[05]--
           +-03.2-[06-09]--
           +-05.0  Intel Corporation Xeon E7 v4/Xeon E5 v4/Xeon E3 v4/Xeon D Map/VTd_Misc/System Management
           +-05.1  Intel Corporation Xeon E7 v4/Xeon E5 v4/Xeon E3 v4/Xeon D IIO Hot Plug
           +-05.2  Intel Corporation Xeon E7 v4/Xeon E5 v4/Xeon E3 v4/Xeon D IIO RAS/Control Status/Global Errors
           +-05.4  Intel Corporation Xeon E7 v4/Xeon E5 v4/Xeon E3 v4/Xeon D I/O APIC
           +-11.0  Intel Corporation C610/X99 series chipset SPSR
           +-11.4  Intel Corporation C610/X99 series chipset sSATA Controller [AHCI mode]
           +-14.0  Intel Corporation C610/X99 series chipset USB xHCI Host Controller
           +-16.0  Intel Corporation C610/X99 series chipset MEI Controller #1
           +-16.1  Intel Corporation C610/X99 series chipset MEI Controller #2
           +-1a.0  Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #2
           +-1b.0  Intel Corporation C610/X99 series chipset HD Audio Controller
           +-1c.0-[0a]--
           +-1c.2-[0b]--
           +-1c.3-[0c]--
           +-1c.4-[0d]--
           +-1c.7-[0e-0f]--
           +-1d.0  Intel Corporation C610/X99 series chipset USB Enhanced Host Controller #1
           +-1f.0  Intel Corporation C610/X99 series chipset LPC Controller
           +-1f.2  Intel Corporation C610/X99 series chipset 6-Port SATA Controller [AHCI mode]
           \-1f.3  Intel Corporation C610/X99 series chipset SMBus Controller