Feature #5317
Disable FireWire DMA
Start date:
Due date:
% Done:
0%
Description
The kernel documentation reads (debugging-via-ohci1394.txt
):
The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with
CONFIG_FIREWIRE_OHCI_REMOTE_DMA
[…] to get unfiltered physical DMA.
Given:
CONFIG_FIREWIRE_OHCI_REMOTE_DMA
is not set in Debian’s Linux 3.2.- Only the new FireWire stack (
firewire-ohci
) is shipped in Debian’s Linux 3.2.
… Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.
Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html
Blacklisting + unloading
firewire_sbp2
is apparently enough to make Tails immune.
Resources
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update)
- Using physical DMA provided by OHCI-1394 FireWire controllers for debugging
wait for protect against external bus memory forensics (Feature #5451).
Subtasks
Related issues
Blocked by Tails - Feature #5451: Protect against external bus exploitation | Confirmed | 2015-06-13 |
History
#1 Updated by intrigeri 2013-07-19 06:41:01
- Subject changed from disable firewire? to disable FireWire DMA
- Type of work changed from Wait to Code
#2 Updated by BitingBird 2014-06-09 10:22:12
- Subject changed from disable FireWire DMA to Disable FireWire DMA
- Starter set to No