From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: pbonzini@redhat.com)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by groups.io with SMTP; Sun, 18 Aug 2019 12:50:36 -0700
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 43246C049E10
	for <devel@edk2.groups.io>; Sun, 18 Aug 2019 19:50:35 +0000 (UTC)
Received: by mail-wr1-f72.google.com with SMTP id v15so4118709wrg.13
        for <devel@edk2.groups.io>; Sun, 18 Aug 2019 12:50:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id
         :date:user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Mh5AKIH4zN0R7HGXNBZ+G2Rv2NiToX+SVJ0buCWoJNM=;
        b=JtQz9GvpR+Vvw4rMPVayBV0/6zk8u1YmTAoVd+mJ5w4Oa5yb73Fe+Y5aoAUhhmsjdz
         iO4fL+Shmo6AUY17JAqo5wYCv1cd2YrA4E/kMCV6gv9rA8Ldf8TcGozLWrWk9iiZr6mF
         Mxj0MNIYG6cEEdzBT91aggKNVDEJwgvLMPxFR/DSQWyppzunLnjFeFlgbB7l1txMQsb0
         OVVVf1nuu2WSJomuehV9+HC+TzOyzkOZOhnZqmL0vvV8o0C7sfjxAIcbp4FQbPp67vQs
         UgIPRQYHrrcOCVggdADPbSrKjtFPFZABLhJpay1/NQu1edae0oZZZxaFwxJ1Iaff0Z96
         qrsQ==
X-Gm-Message-State: APjAAAVmUCbL92XGY8O3glDYqTj8ajQS+DKEneSZzFITHlWVZ7H0GA5Y
	KprDw+a+tQAsZFjv5yjSqYzpZ0DL0t5CddOWRoX4913eVOaOqRoqXpR7tSWR+Eurzol4r8ARytd
	1ZM6yhqKBFF8Rzg==
X-Received: by 2002:adf:8183:: with SMTP id 3mr22989253wra.181.1566157833887;
        Sun, 18 Aug 2019 12:50:33 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxtMq2H3ucS+0sYLAG/E4b176MxQE5gowHaNIBSOSmN50b0JZxa8/cvGkkEUZLLpkuPqDrKhA==
X-Received: by 2002:adf:8183:: with SMTP id 3mr22989244wra.181.1566157833577;
        Sun, 18 Aug 2019 12:50:33 -0700 (PDT)
Received: from ?IPv6:2001:b07:6468:f312:399c:411e:1ccb:f240? ([2001:b07:6468:f312:399c:411e:1ccb:f240])
        by smtp.gmail.com with ESMTPSA id f10sm11547975wrm.31.2019.08.18.12.50.31
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 18 Aug 2019 12:50:32 -0700 (PDT)
Subject: Re: [edk2-devel] CPU hotplug using SMM with QEMU+OVMF
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
 Alex Williamson <alex.williamson@redhat.com>,
 Laszlo Ersek <lersek@redhat.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
 edk2-rfc-groups-io <rfc@edk2.groups.io>,
 qemu devel list <qemu-devel@nongnu.org>, Igor Mammedov
 <imammedo@redhat.com>, "Chen, Yingwen" <yingwen.chen@intel.com>,
 "Nakajima, Jun" <jun.nakajima@intel.com>,
 Boris Ostrovsky <boris.ostrovsky@oracle.com>,
 Joao Marcal Lemos Martins <joao.m.martins@oracle.com>,
 Phillip Goerl <phillip.goerl@oracle.com>
References: <8091f6e8-b1ec-f017-1430-00b0255729f4@redhat.com>
 <effa5e32-be1e-4703-4419-8866b7754e2d@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F75B680@shsmsx102.ccr.corp.intel.com>
 <047801f8-624a-2300-3cf7-1daa1395ce59@redhat.com>
 <99219f81-33a3-f447-95f8-f10341d70084@redhat.com>
 <6f8b9507-58d0-5fbd-b827-c7194b3b2948@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F75FAD3@shsmsx102.ccr.corp.intel.com>
 <7cb458ea-956e-c1df-33f7-025e4f0f22df@redhat.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F7600B9@shsmsx102.ccr.corp.intel.com>
 <bb6fdbe0-2a3b-e586-e9a5-93e1ac0803ec@redhat.com>
 <20190816161933.7d30a881@x1.home>
 <74D8A39837DF1E4DA445A8C0B3885C503F761B96@shsmsx102.ccr.corp.intel.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Openpgp: preference=signencrypt
Message-ID: <35396800-32d2-c25f-b0d0-2d7cd8438687@redhat.com>
Date: Sun, 18 Aug 2019 21:50:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F761B96@shsmsx102.ccr.corp.intel.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 17/08/19 02:20, Yao, Jiewen wrote:
> [Jiewen] That is OK. Then we MUST add the third adversary.
> -- Adversary: Simple hardware attacker, who can use device to perform DMA attack in the virtual world.
> NOTE: The DMA attack in the real world is out of scope. That is be handled by IOMMU in the real world, such as VTd. -- Please do clarify if this is TRUE.
> 
> In the real world:
> #1: the SMM MUST be non-DMA capable region.
> #2: the MMIO MUST be non-DMA capable region.
> #3: the stolen memory MIGHT be DMA capable region or non-DMA capable
> region. It depends upon the silicon design.
> #4: the normal OS accessible memory - including ACPI reclaim, ACPI
> NVS, and reserved memory not included by #3 - MUST be DMA capable region.
> As such, IOMMU protection is NOT required for #1 and #2. IOMMU
> protection MIGHT be required for #3 and MUST be required for #4.
> I assume the virtual environment is designed in the same way. Please
> correct me if I am wrong.
> 

Correct.  The 0x30000...0x3ffff area is the only problematic one;
Igor's idea (or a variant, for example optionally remapping
0xa0000..0xaffff SMRAM to 0x30000) is becoming more and more attractive.

Paolo