We recommend firmware developers review this docment to understand threats from unauthorized internal DMA, as well as DMA from non-PCI devices that platform firmware may configure. Using an IOMMU such as Intel VT-d allows fine-grain control of memory protection without broadly disabling bus-mastering capabilities in the pre-boot space.
Note: this whitepaper was originally published under the title “A Tour beyond BIOS Using Intel® VT-d for DMA Protection in UEFI BIOS” in January 2015.
https://firmware.intel.com/blog/updated-whitepaper-using-iommu-dma-protection-uefi-firmware
Click to access Intel_WhitePaper_Using_IOMMU_for_DMA_Protection_in_UEFI.pdf
Firmware Security 