Feature #5317

Disable FireWire DMA

Added by Tails 2013-07-18 07:39:00 . Updated 2014-06-09 10:22:12 .

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

The kernel documentation reads (debugging-via-ohci1394.txt):

The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with CONFIG_FIREWIRE_OHCI_REMOTE_DMA […] to get unfiltered physical DMA.

Given:

  1. CONFIG_FIREWIRE_OHCI_REMOTE_DMA is not set in Debian’s Linux 3.2.
  2. Only the new FireWire stack (firewire-ohci) is shipped in Debian’s Linux 3.2.

… Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.

Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html

Blacklisting + unloading firewire_sbp2 is apparently enough to make Tails immune.

Resources

wait for protect against external bus memory forensics (Feature #5451).


Subtasks


Related issues

Blocked by Tails - Feature #5451: Protect against external bus exploitation Confirmed 2015-06-13

History

#1 Updated by intrigeri 2013-07-19 06:41:01

  • Subject changed from disable firewire? to disable FireWire DMA
  • Type of work changed from Wait to Code

#2 Updated by BitingBird 2014-06-09 10:22:12

  • Subject changed from disable FireWire DMA to Disable FireWire DMA
  • Starter set to No