Linked by David Adams on Fri 2nd Mar 2012 16:03 UTC
Privacy, Security, Encryption When was the last time you reverse-engineered all the PCI devices on your motherboard?. . . Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver.
Thread beginning with comment 509375
To read all comments associated with this story, please click here.
Member since:

On most PC-systems graphics card and for example your NIC also have firmware that loads during startup. The main BIOS does that before it loads the OS.

So that also needs to be disabled or adopted to only allow access to certain parts of the system. Which means you'll need an open source BIOS.

I'm pretty sure at that stage using IOMMU/VT-d wouldn't work.

So you would need to have your own implementation of the graphics card BIOS. The NIC can handled later by the OS I would think.

Anyway good luck getting an open BIOS for your graphics card :-(

So there is probably only one solution for that: the open graphics project ?

They still seem to be at Phase I of their project.

The other solution is startup without graphics ofcourse...

Reply Score: 3

Luminair Member since:

you are right, but to deal with this people can (and do) just dump their bios to a file and use that. but this field is totally new and underdeveloped and underdocumented and undertested, so you have to be a hacker to deal with it. but there it is.

it is wonderful that the software and hardware exist now to run linux, passthrough your graphics card to windows, and play virtualized games at full speed. the bad part is nobody normal is allowed to do it. domain of the nerds and all.

Reply Parent Score: 2

Lennie Member since:

I've been thinking some more about this and how does the "secure boot" UEFI deal with the graphics card firmware ?

I guess it uses some higher level interface ? Not the legacy one that needs a VGA-console.

So I was actually wrong.

I see that Linux 3.3 now also supports starting from EFI directly.

Reply Parent Score: 2