07:11 jchorin: Hello everybody, I'm working with envytools, and the README states that the nva tools can hang my machine. I would like to know in which case it may happen?
07:23 mwk: jchorin: they are a direct pathway to access the gpu... if you do anything strange enough to hang the gpu, you might bring down the machine with it
07:24 mwk: that's the usual consequence when you're poking around random hardware registers and do something wrong
07:29 jchorin: mwk: I actually just would like to read the BIOS. Would that bring any harm?
07:36 mwk: nah, that's safe
07:39 jchorin: Ok good to know thanks!
07:48 jchorin: Another question: the nvagetbios tool tells me that my card has a second BIOS. Is it also stored in the ROM file by nvagetbios?
09:13 karolherbst: mwk: reading the vbios isn't necassarily safe, I think nvareadbios uses pramin by default, no? This can lead to really bad results on a laptop and crashing/hanging the machine ;)
09:14 karolherbst: but that's only because some regs aren't always initialized like they should be leading to various issues
09:14 jchorin: karolherbst: I'm on a server and using the vfio driver. Is it the same situation?
09:16 karolherbst: uhh, don't know. doubtful though
09:16 karolherbst: the second BIOS is most likely a copy of the first one though... I highly doubt they differ in any way
09:18 jchorin: Both could be read or modified? I want to be able to know if anybody changed the vbioses on my GPUs
09:19 karolherbst: why would anybody be able to change it?
09:19 karolherbst: if anybody would, a changed vbios should be the smallest of your problems
09:20 karolherbst: usually you need some flashing tools in order to reflash the vbios
09:21 jchorin: I'm working on a server where the GPUs are given to VMs for different clients. I don't want anybody to touch the vbios unbeknownst to us
09:22 jchorin: If they change it, release the GPU by deleting the VM, and somebody else has the GPU on another VM, that may be an issue, no?
09:25 karolherbst: sure.. but if they are able to reflash the vbios, they can do everything else as well
09:26 karolherbst: like installing rootkits into your hardware firmware and so on
09:27 karolherbst: well, depending on how the VM works
09:27 karolherbst: but eg, if you pass in the GPU and there is no proper security model attached to the process, you are in for big troubles anyway
09:27 jchorin: My goal was to get an image of the vbios and store it. When the VM is deleted, I check the current vbios and compare it to the one stored
09:29 karolherbst: well sure, you can do that, I just don't think that with a proper hypervisor that's something which people have to care about. Because you are most likely not the only one with that concern
09:30 jchorin: The vfio driver has ways to prevent that, using IOMMU (regarding your previous message)
09:30 jchorin: well there is unfortunately not so much documentation on that
09:31 karolherbst: yeah, usually an IOMMU is what should prevent all kind of accesses
09:32 jchorin: When we tried, using NVFlash we could modify the vbios of the card from the VM. But we used Nvidia signed bios
09:32 karolherbst: I don't know that much about how the flashing process actually works, but usually you need some really high privilged mode for doing that. In the past you had to create a boot stick with some DOS on it
09:33 karolherbst: jchorin: ohhh, weird
09:33 karolherbst: an VM should prevent that
09:33 karolherbst: uhm, hypervisor
09:35 karolherbst: ufff
09:35 jchorin: I am not the one who did that, maybe I misunderstood. I'll check that
09:35 karolherbst: jchorin: the issue is, that the vbios contains code which is executed by the hw firmware in order to bring up the device for initial displaying stuff
09:35 karolherbst: so.. if somebody would be able to change that from within a VM....
09:36 karolherbst: and code like in x86 code
09:38 jchorin: In my case, the driver is vfio, so I'm guessing that what youŕe explaining should happen IN the VM?
09:39 karolherbst: no, the host
09:39 jchorin: hum, yeah, sounds bad
09:39 karolherbst: if you are able to change the vbios on the hardware itself, then that would affect the host directly ;)
09:40 jchorin: Ok, I'm sorry, I'm not really good with hardware :)
09:41 jchorin: Thanks for your help. I'll check again if the flashing is possible or not
09:41 jchorin: But I think it is, otherwise I would not have been given this task :/
09:42 karolherbst: yeah, would be best. Anyway, flashing firmware is kind of something where you want to require ring0 access... anything else is just bad design
09:43 karolherbst: but.. if nvidia hardware allows it with less priviliged modes, maybe it's time for a new CVE for nvidia :p
09:45 jchorin: Well, they were never really open about most issues anyway...
09:46 jchorin: I'm just thinking that a reboot should be done on the host to apply the changes, if the vbios is changed, right?
09:48 karolherbst: yeah, otherwise it shouldn't affect anything except new VMs
09:59 jchorin: So at least, even if it is actually possible to flash, we can check it.
09:59 jchorin: Alright, thanks for your help!