Re: [tip:x86/setup] x86, setup: "glove box" BIOS calls -- infrastructure

[Avi Kivity <avi@redhat.com>]

Ingo Molnar wrote:
> * H. Peter Anvin <hpa@zytor.com> wrote:
>
>   
>> Avi Kivity wrote:
>>     
>>> kvm might help detecting these issues, but not in fixing them.  
>>> If you isolate the BIOS, then you've prevented corruption, but 
>>> you've also prevented it from doing whatever it is it was 
>>> supposed to do.  If you give it access to memory and the rest of 
>>> the system, then whatever evil it has wrought affects the system.
>>>
>>> You could try to allow the BIOS access to selected pieces of 
>>> memory and hardware, virtualizing the rest, but it seems to me it 
>>> would be more like a recipe for a giant headache that a solution.
>>>
>>>       
>> The main thing you could do is drop or virtualize memory accesses 
>> to RAM it should never access in the first place, like some BIOSes 
>> which scribble over random locations in low memory.
>>     
>
> it would be enough to get the information out. That way we could see 
> (from the access patterns) what the heck it is trying to do (did 
> someone rootkit the bios?), and what we can do about it. Trying to 
> contain it will likely break the BIOS and causes silent hangs with 
> no usable bug report left.
>   

Hmm, it's doable with the 1:1 mode; Andrea did some work on this.

However if the bios tries to do anything clever (like using SMM) things 
will fail pretty badly.

-- 
error compiling committee.c: too many arguments to function