search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Early boot DMA protection is disabled in OS despite enabling it in FW #548

Open johanes2115 opened 1 year ago

johanes2115 commented 1 year ago

Device

Novacustom nv41 TGL

Dasharo version

v1.5.0

Affected component(s) or functionality

After enabling early boot DMA protection in FW and booting into the OS (Ubuntu 22.04), cbmem gives following output:

?BM-LOCKDOWN: Enabling boot media protection scheme 'WP_RO only' using CTRL...
?BM-LOCKDOWN: Enabled bootmedia protection
MemoryProtectionCpuArchProtocolNotify:
Boot Policy: DMA protection disabled
?BM-LOCKDOWN: Enabling boot media protection scheme 'WP_RO only' using CTRL...
?BM-LOCKDOWN: Enabled bootmedia protection
?BM-LOCKDOWN: Enabling boot media protection scheme 'WP_RO only' using CTRL...
?BM-LOCKDOWN: Enabled bootmedia protection
MemoryProtectionCpuArchProtocolNotify:
?BM-LOCKDOWN: Skipping enabling boot media protection
MemoryProtectionCpuArchProtocolNotify:
Boot Policy: DMA protection disabled
?BM-LOCKDOWN: Skipping enabling boot media protection
MemoryProtectionCpuArchProtocolNotify:
?BM-LOCKDOWN: Skipping enabling boot media protection
?VT-d PMR HOB not found, not enabling DMA protection
MemoryProtectionCpuArchProtocolNotify:

whick suggests, that early boot DMA protection is disabled.

Brief summary

Early boot DMA protection

How reproducible

100%

How to reproduce

  1. Power on the device
  2. Boot into firmware
  3. Go to Dasharo System Features -> Dasharo Security options -> Early Boot DMA Protection
  4. Enable the option
  5. Save the settings
  6. Reset the system and boot into Ubuntu 22.04
  7. Open terminal and run sudo ./cbmem -1 | grep -i protection
  8. Note the results

Expected behavior

Early boot DMA protection should be enabled

Actual behavior

Early boot DMA protection is disabled

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

macpijan commented 1 year ago

@johanes2115 What cbmem do we use here? Isn't the reason the same as we have discussed it was here: https://github.com/Dasharo/dasharo-issues/issues/473

mkopec commented 1 year ago

Looks like FSP is not generating a VT-d PMR HOB. It's not configuring PMRs correctly, or just doesn't output the HOB for some reason.

johanes2115 commented 1 year ago

Output from the newest cbmem looks as follows: [ERROR] VT-d PMR HOB not found, not enabling DMA protection

wessel-novacustom commented 10 months ago

@johanes2115 Does this still happen with the beta version?

pietrushnic commented 10 months ago

@wessel-novacustom I doubt he will answer. He no longer works in 3mdeb.

macpijan commented 10 months ago

@mkopec will confirm here.

miczyg1 commented 10 months ago

Indeed, TGL FSP does not produce the required HOB. The HOB was introduced in AlderLake FSP, so any older microarchitecture will not work...

I guess we will have to find a different solution here.

mkopec commented 10 months ago

I confirm the issue still happens on v1.5.2