Early DMA protection cannot be applied to NovaCustom MTL models

[philipanda]

Component

Dasharo firmware

Device

NovaCustom V54 14th Gen

Dasharo version

v0.9.1-rc1

Dasharo Tools Suite version

No response

Test case ID

EDP001.001

Brief summary

Early DMA protection check using cbmem fail

How reproducible

100% in two retries

How to reproduce

Do the EDP001.001 test manually

• enable early DMA protection
• boot to ubuntu
• run sudo ./cbmem -1

Expected behavior

output should contain: [DEBUG] VT-d @ 0xfed91000, version 5.0 [INFO ] Setting DMA protection [0x0 - 0x46c00000] [INFO ] Setting DMA protection [0x100000000 - 0x00000008afc00000] [INFO ] Successfully enabled VT-d PMR DMA protection

Actual behavior

root@3mdeb:/home/ubuntu# ./cbmem -1 | grep -i "dma"
?ACPI:    * DMAR
?soc_fill_dmar - gfxvtbar:0xfc800000  0xfc800001
root@3mdeb:/home/ubuntu# 

root@3mdeb:/home/ubuntu# ./cbmem -1 | grep -i "protection"
?BM-LOCKDOWN: Skipping enabling boot media protection
?ME: SPI Protection Mode Enabled : NO
root@3mdeb:/home/ubuntu# 

Screenshots

No response

Additional context

No response

Solutions you've tried

No response

[mkopec]

The code to configure DMA protection is not wired up on soc/intel/meteorlake

[mkopec]

Most likely just need to apply https://review.coreboot.org/c/coreboot/+/68450 but for meteorlake and that should be enough

[philipanda]

I am applying the patch here: https://github.com/Dasharo/coreboot/pull/553. We need the Intel FSP to compile and test it on the target platform though.

[philipanda]

After applying the patch cbmem -l shows

[ERROR]  VT-d PMR HOB not found, not enabling DMA protection

[philipanda]

The test passes on V560TNE with v0.9.1-rc4.

[philipanda]

Not working on V540TND with v0.9.1-rc5

ubuntu@3mdeb:~$ grep -i "vt-d" cbmem-dma-enabled.log
[DEBUG]  VT-d @ 0xfc801000, version 7.0
[ERROR]  VT-d PMR HOB not found, not enabling DMA protection

cbmem-dma-enabled.log cbmem-dma-disabled.log

[SebastianCzapla]

Issue still present in v0.9.1-rc6. cbmem-dma-enabled.txt

[SebastianCzapla]

~~Issue still present in v0.9.1-rc7.~~ ~~cbmem-dma-enabled.txt~~

[mkopec]

@SebastianCzapla The option was supposed to be hidden, how are you testing if it's not visible?

[SebastianCzapla]

You are right, it is not visible in the security options. I misread other option for it, my bad.

[mkopec]

We attempted to simply enable DMA protection in coreboot the same way it was done for alder lake, but it looks like the FSP does not produce the required HOB

[tlaurion]

Also affects nv4x on Heads master per Dasharo coreboot commit used: https://github.com/Dasharo/coreboot/commit/94e5f5d5b808cf8d8fd5c70d4ef6a08a054f8986

As per: https://github.com/linuxboot/heads/blob/462c157b23d4e45b80a7685d289f9a6d14d53fdd/modules/coreboot#L94C1-L99C46

Excerpt:

# MSI and NovaCustom NV4xPZ, NS5xPU, V560TU boards are based on Dasharo
# coreboot fork, based on upstream coreboot version 24.02
coreboot-dasharo_repo := https://github.com/dasharo/coreboot
coreboot-dasharo_commit_hash := 94e5f5d5b808cf8d8fd5c70d4ef6a08a054f8986
$(eval $(call coreboot_module,dasharo,24.02.01))
#coreboot-dasharo_patch_version := unreleased

---

Note that nv41 coreboot config under master doesn't have early dma protection on: https://github.com/linuxboot/heads/blob/462c157b23d4e45b80a7685d289f9a6d14d53fdd/config/coreboot-novacustom-nv4x_adl.config#L426

Excerpt: # CONFIG_ENABLE_EARLY_DMA_PROTECTION is not set

cbmem -1 log captured on Heads recovery shell with Heads master:

withhout_early_dma_protection-master.log

---

When setting CONFIG_ENABLE_EARLY_DMA_PROTECTION=y, cannot be applied.

cbmem -1 log with_early_boot_with_vtd_DISABLED_WARNING.log

Excerpt: [INFO ] VT-d DMA protection disabled by option

[tlaurion]

Cross Ref https://github.com/linuxboot/heads/pull/1913#issuecomment-2678763157

[tlaurion]

Please

• [x] add nv41 as affected / open another issue
• [x] rename issue as "Early DMA protection cannot be applied to alderlake+"
• [ ] add in release notes for latest coreboot+uefi/ coreboot+heads

CC @macpijan

[macpijan]

Also affects nv4x on Heads master per Dasharo coreboot commit used:

Thanks for leaving a note here. We will verify this when working on the future NV4 coreboot relases.

The UEFI release v1.7.2 https://docs.dasharo.com/variants/novacustom_nv4x_adl/releases/#v172-2024-01-03 points specifically to https://github.com/Dasharo/dasharo-issues/issues/630 so I believe we have tested that it used to work correctly back then.

add nv41 as affected / open another issue

Added a label, until we prove otherwise / fix - then it can be removed.

rename issue

Done

add in release notes for latest coreboot+uefi/ coreboot+heads

Please report once confirmed that we have everything in order here @mkopec

[tlaurion]

Please

• [x] add nv41 as affected / open another issue
• [x] rename issue as "Early DMA protection cannot be applied to alderlake+"
• [ ] add in release notes for latest coreboot+uefi/ coreboot+heads

CC @macpijan

Affects V56 and nv4x releases. Thanks.

[tlaurion]

CC @macpijan Crossref to downstream user created issue https://github.com/linuxboot/heads/issues/1922

Reminder, cc @mkopec

Please

• [x] add nv41 as affected / open another issue
• [x] rename issue as "Early DMA protection cannot be applied to alderlake+"
• [ ] add in release notes for latest coreboot+uefi/ coreboot+heads

CC @macpijan

Affects V56 and nv4x releases. Thanks

[tlaurion]

Early DMA protection disabled for v560tu/v540tu at https://github.com/Dasharo/coreboot/pull/769

[philipanda]

Early DMA protection works on NV41PZ Alderlake with Dasharo v1.8.0-rc3, cbmem contains:

[DEBUG]  VT-d @ 0xfed91000, version 5.0
[INFO ]  Setting DMA protection [0x0 - 0x75c00000]
[INFO ]  Setting DMA protection [0x100000000 - 0x000000027fc00000]
[INFO ]  Successfully enabled VT-d PMR DMA protection

cbmem.log