From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: pbonzini@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Sun, 18 Aug 2019 12:50:36 -0700 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 43246C049E10 for ; Sun, 18 Aug 2019 19:50:35 +0000 (UTC) Received: by mail-wr1-f72.google.com with SMTP id v15so4118709wrg.13 for ; Sun, 18 Aug 2019 12:50:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Mh5AKIH4zN0R7HGXNBZ+G2Rv2NiToX+SVJ0buCWoJNM=; b=JtQz9GvpR+Vvw4rMPVayBV0/6zk8u1YmTAoVd+mJ5w4Oa5yb73Fe+Y5aoAUhhmsjdz iO4fL+Shmo6AUY17JAqo5wYCv1cd2YrA4E/kMCV6gv9rA8Ldf8TcGozLWrWk9iiZr6mF Mxj0MNIYG6cEEdzBT91aggKNVDEJwgvLMPxFR/DSQWyppzunLnjFeFlgbB7l1txMQsb0 OVVVf1nuu2WSJomuehV9+HC+TzOyzkOZOhnZqmL0vvV8o0C7sfjxAIcbp4FQbPp67vQs UgIPRQYHrrcOCVggdADPbSrKjtFPFZABLhJpay1/NQu1edae0oZZZxaFwxJ1Iaff0Z96 qrsQ== X-Gm-Message-State: APjAAAVmUCbL92XGY8O3glDYqTj8ajQS+DKEneSZzFITHlWVZ7H0GA5Y KprDw+a+tQAsZFjv5yjSqYzpZ0DL0t5CddOWRoX4913eVOaOqRoqXpR7tSWR+Eurzol4r8ARytd 1ZM6yhqKBFF8Rzg== X-Received: by 2002:adf:8183:: with SMTP id 3mr22989253wra.181.1566157833887; Sun, 18 Aug 2019 12:50:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxtMq2H3ucS+0sYLAG/E4b176MxQE5gowHaNIBSOSmN50b0JZxa8/cvGkkEUZLLpkuPqDrKhA== X-Received: by 2002:adf:8183:: with SMTP id 3mr22989244wra.181.1566157833577; Sun, 18 Aug 2019 12:50:33 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:399c:411e:1ccb:f240? ([2001:b07:6468:f312:399c:411e:1ccb:f240]) by smtp.gmail.com with ESMTPSA id f10sm11547975wrm.31.2019.08.18.12.50.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 18 Aug 2019 12:50:32 -0700 (PDT) Subject: Re: [edk2-devel] CPU hotplug using SMM with QEMU+OVMF To: "Yao, Jiewen" , Alex Williamson , Laszlo Ersek Cc: "devel@edk2.groups.io" , edk2-rfc-groups-io , qemu devel list , Igor Mammedov , "Chen, Yingwen" , "Nakajima, Jun" , Boris Ostrovsky , Joao Marcal Lemos Martins , Phillip Goerl References: <8091f6e8-b1ec-f017-1430-00b0255729f4@redhat.com> <74D8A39837DF1E4DA445A8C0B3885C503F75B680@shsmsx102.ccr.corp.intel.com> <047801f8-624a-2300-3cf7-1daa1395ce59@redhat.com> <99219f81-33a3-f447-95f8-f10341d70084@redhat.com> <6f8b9507-58d0-5fbd-b827-c7194b3b2948@redhat.com> <74D8A39837DF1E4DA445A8C0B3885C503F75FAD3@shsmsx102.ccr.corp.intel.com> <7cb458ea-956e-c1df-33f7-025e4f0f22df@redhat.com> <74D8A39837DF1E4DA445A8C0B3885C503F7600B9@shsmsx102.ccr.corp.intel.com> <20190816161933.7d30a881@x1.home> <74D8A39837DF1E4DA445A8C0B3885C503F761B96@shsmsx102.ccr.corp.intel.com> From: Paolo Bonzini Openpgp: preference=signencrypt Message-ID: <35396800-32d2-c25f-b0d0-2d7cd8438687@redhat.com> Date: Sun, 18 Aug 2019 21:50:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F761B96@shsmsx102.ccr.corp.intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 17/08/19 02:20, Yao, Jiewen wrote: > [Jiewen] That is OK. Then we MUST add the third adversary. > -- Adversary: Simple hardware attacker, who can use device to perform DMA attack in the virtual world. > NOTE: The DMA attack in the real world is out of scope. That is be handled by IOMMU in the real world, such as VTd. -- Please do clarify if this is TRUE. > > In the real world: > #1: the SMM MUST be non-DMA capable region. > #2: the MMIO MUST be non-DMA capable region. > #3: the stolen memory MIGHT be DMA capable region or non-DMA capable > region. It depends upon the silicon design. > #4: the normal OS accessible memory - including ACPI reclaim, ACPI > NVS, and reserved memory not included by #3 - MUST be DMA capable region. > As such, IOMMU protection is NOT required for #1 and #2. IOMMU > protection MIGHT be required for #3 and MUST be required for #4. > I assume the virtual environment is designed in the same way. Please > correct me if I am wrong. > Correct. The 0x30000...0x3ffff area is the only problematic one; Igor's idea (or a variant, for example optionally remapping 0xa0000..0xaffff SMRAM to 0x30000) is becoming more and more attractive. Paolo