Sorry, you need to enable JavaScript to visit this website.

Updated Whitepaper: Using IOMMU for DMA Protection in UEFI Firmware

BrianRichardson's picture

Intel recently updated the "A Tour Beyond BIOS: Using IOMMU for DMA Protection in UEFI Firmware" whitepaper regarding protection against firmware-based Direct Memory Access (DMA) attacks.

This paper presents the idea of using an input–output memory management unit (IOMMU) to resist Direct Memory Access (DMA) attacks in firmware. Intel® Virtualization Technology for Directed I/O (VT-d) is used in this example, but the concept can be applied to other IOMMU engines.

We recommend firmware developers review this docment to understand threats from unauthorized internal DMA, as well as DMA from non-PCI devices that platform firmware may configure. Using an IOMMU such as Intel VT-d allows fine-grain control of memory protection without broadly disabling bus-mastering capabilities in the pre-boot space.

Summary of changes:

  • Articulate new threat model to include external devices as well as internal subsystems
  • Discuss BME-based mitigation and its limitations
  • Grammar and formatting changes

Note: this whitepaper was originally published under the title "A Tour beyond BIOS Using Intel® VT-d for DMA Protection in UEFI BIOS" in January 2015.