Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Linux Operating SystemsOther Linux Discussions
All Forum Topics
Options

79 Posts

12-26-2020

Austria

45 Signins

615 Page Views

  • Posts: 79
  • Registered: ‎12-26-2020
  • Location: Austria
  • Views: 615
  • Message 1 of 6

Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-18, 4:12 AM

Steps to reproduce:

  1. Connect Lenovo-branded USB-C dock (not "hub"). I have tested with "Lenovo USB-C Mini Dock".
  2. Flash it with the latest firmware.
  3. Connect to your laptop, attempt to boot with `efi=disable_early_pci_dma` kernel parameter.
  4. Boot fails

Can be reproduced on X13 and P14s.

Reply
Options

211 Posts

03-06-2021

Germany

93 Signins

1315 Page Views

  • Posts: 211
  • Registered: ‎03-06-2021
  • Location: Germany
  • Views: 1315
  • Message 2 of 6

Re:Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-18, 11:08 AM

@ jd_user wrote:

Steps to reproduce:

  1. Obtain "Lenovo USB-C Mini Dock"
  2. Flash it with the latest firmware
  3. Connect to your laptop, attempt to boot with `efi=disable_early_pci_dma` kernel parameter
  4. Boot fails

Tested on X13 and P14s.

 

Ok. In general no one is going to buy HW to test a bug.

For that reason, you should attach logs, in this case, a dmesg

from the failing boot so we could try to find out what may be wrong

from the log files.

 

Just out of curiosity, why would you want to boot with this option?

It is more of a 'per device' option which may or may not work.

The help on the option tells you already it will probably fail.

Reply
Options

79 Posts

12-26-2020

Austria

45 Signins

615 Page Views

  • Posts: 79
  • Registered: ‎12-26-2020
  • Location: Austria
  • Views: 615
  • Message 3 of 6

Re:Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-18, 23:08 PM

@ osnix wrote:

 

Ok. In general no one is going to buy HW to test a bug.

 

I have updated the first post to make the language clearer.

 

For that reason, you should attach logs, in this case, a dmesg

from the failing boot so we could try to find out what may be wrong

from the log files.

 

I would do so straight away, however in this case system ends-up in an unknown state with white cursor over the black screen (please read on) and some block-y visual artefacts visible from time to time.

 

Important notes regarding the white mouse cursor:

  1. There is no X-Server or login manager installed.
  2. Machine is configured to not start anything graphics-capable by default and boots into regular TTY prompt.

Just out of curiosity, why would you want to boot with this option?

It is more of a ' device' option which may or may not work.

The help on the option tells you already it will probably fail.

 

Matthew Garrett has explained it better than I can: https://mjg59.dreamwidth.org/54433.html
Reply
Options

211 Posts

03-06-2021

Germany

93 Signins

1315 Page Views

  • Posts: 211
  • Registered: ‎03-06-2021
  • Location: Germany
  • Views: 1315
  • Message 4 of 6

Re:Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-18, 23:25 PM

@ jd_user wrote:

@ osnix wrote:

 

Ok. In general no one is going to buy HW to test a bug.

 

I have updated the first post to make the language clearer.

 

For that reason, you should attach logs, in this case, a dmesg

from the failing boot so we could try to find out what may be wrong

from the log files.

 

I would do so straight away, however in this case system ends-up in an unknown state with white cursor over the black screen (please read on) and some block-y visual artefacts visible from time to time.

 

Important notes regarding the white mouse cursor:

  1. There is no X-Server or login manager installed.
  2. Machine is configured to not start anything graphics-capable by default and boots into regular TTY prompt.

Just out of curiosity, why would you want to boot with this option?

It is more of a ' device' option which may or may not work.

The help on the option tells you already it will probably fail.

 

Matthew Garrett has explained it better than I can: https://mjg59.dreamwidth.org/54433.html

 

I know what this code is trying to do. And what the post doesn't tell you it *needs* proper firmware implementation to work,

and because that the help on this option is telling you it will fail, and to not use it without testing, however, it has nothing

to do with 'poorly behaved hardware' like the patch claims.

 

In your case, is simple, when not working do not use that. I don't believe Lenovo will change their BIOSes bc of some

theoretical security issues, because it is exactly theoretical. 

Reply
Options

79 Posts

12-26-2020

Austria

45 Signins

615 Page Views

  • Posts: 79
  • Registered: ‎12-26-2020
  • Location: Austria
  • Views: 615
  • Message 5 of 6

Re:Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-18, 23:45 PM

@ osnix wrote:

 

I know what this code is trying to do. And what the post doesn' tell you it *needs* proper firmware implementation to work,

and because that the help on this option is telling you it will fail, and to not use it without testing, however, it has nothing

to do with ' behaved hardware' like the patch claims.

 

In your case, is simple, when not working do not use that. I don' believe Lenovo will change their BIOSes bc of some

theoretical security issues, because it is exactly theoretical. 

 

I appreciate your level of insight, however I do believe Matthew's claims due to his sheer expertise (https://en.wikipedia.org/wiki/Matthew_Garrett) in the matter.

Regarding your statements:

  • "...it has nothing to do with ' behaved hardware' like the patch claims."

Can you elaborate on this one?

  • "...theoretical security issues, because it is exactly theoretical"

To quote the original: "This will prevent any malicious PCI devices from being able to perform DMA until the kernel reenables busmastering after configuring the IOMMU."

Reply
Options

211 Posts

03-06-2021

Germany

93 Signins

1315 Page Views

  • Posts: 211
  • Registered: ‎03-06-2021
  • Location: Germany
  • Views: 1315
  • Message 6 of 6

Re:Connected USB-C dock prevents booting with `efi=disable_early_pci_dma`

2021-04-19, 0:54 AM

@ jd_user wrote:

@ osnix wrote:

 

I know what this code is trying to do. And what the post doesn' tell you it *needs* proper firmware implementation to work,

and because that the help on this option is telling you it will fail, and to not use it without testing, however, it has nothing

to do with ' behaved hardware' like the patch claims.

 

In your case, is simple, when not working do not use that. I don' believe Lenovo will change their BIOSes bc of some

theoretical security issues, because it is exactly theoretical. 

 

I appreciate your level of insight, however I do believe Matthew' claims due to his sheer expertise (https://en.wikipedia.org/wiki/Matthew_Garrett) in the matter.

Regarding your statements:

  • "...it has nothing to do with ' behaved hardware' like the patch claims."

Can you elaborate on this one?

  • "...theoretical security issues, because it is exactly theoretical"

To quote the original: "This will prevent any malicious PCI devices from being able to perform DMA until the kernel reenables busmastering after configuring the IOMMU."

 

It is right in the sentence. 'a malicious PCI(e) device' is theoretical, like the kernel has some

security options for 'potentially malicious BIOSes', or theoretical UEFI attacks.

 

What is a malicious PCI device? :) ( we can discuss that later ).

 

Yes Matt is a nice guy and what he tells is true, it could happen in theory.

( I don't have a wiki page and don't need one, but my first patch to the kernel was 2 decades ago,

I have a very good idea of how kernel development works, how security people can go mad with

nonsense ( even when theoretically possible ) and how company are pushing their agendas in the process .) )

 

I don't know how much you know about MMU/DMA/IOMMU/VM code in general, or PCI devices, bridges, or root

ports but the idea is this:

 

If you disable the BIT on the bridge/root port, downstream PCI devices 'may' not be able to bypass that.

But even if that works, it could be still bypassed from the board 'chipset' itself.

IOW, what this does right now is to HOPE, a downstream PCI device is restricted when clearing the BIT

on the bridge, while still 'trusting' the board chipset to do the right thing and so trusting the Vendor firmware.

 

See the problem with those theoretical issues?

 

Also, you are missing the end of his post which tells you exactly what I've told you from the beginning:

 

"In combination with firmware that does the right thing, this should ensure that Linux systems can be protected against malicious PCI devices throughout the entire boot process."

 

The magic will only work ( somewhat ) if the firmware does the right thing.

 

 

 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms

Most Liked Authors

(Last 7 days)

View All