/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider blacklisting PCI hotplug-related modules #1673

Closed
rustybird opened this Issue Jan 22, 2016 · 13 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
5 participants
@rustybird @marmarek @tasket @rootkovska @andrewdavidwong
@rustybird

rustybird commented Jan 22, 2016

Would it make sense to disable CONFIG_HOTPLUG_PCI (which all the PCI hotplug modules depend on) in qubes-linux-kernel, to prevent DMA attacks via ExpressCard and Thunderbirdbolt ports?

@andrewdavidwong andrewdavidwong added the question label Apr 6, 2016

@andrewdavidwong andrewdavidwong added enhancement C: core labels May 19, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 4, 2016

Member

While is some cases it is really good idea, some people depend on those ports, so we can't make this change distribution-wide.
On the other hand, it may be good idea to blacklist related modules.
Member

marmarek commented Jun 4, 2016

While is some cases it is really good idea, some people depend on those ports, so we can't make this change distribution-wide.
On the other hand, it may be good idea to blacklist related modules.

@andrewdavidwong andrewdavidwong changed the title from Compile qubes-linux-kernel with CONFIG_HOTPLUG_PCI disabled? to Consider blacklisting PCI hotplug-related modules Jun 4, 2016

@andrewdavidwong andrewdavidwong added P: minor and removed question labels Jun 4, 2016

@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jun 5, 2016

If the whole pcie hotplug feature could be blacklisted as a module, that would be great. I thought it was a module, but I see no sign of it now.

tasket commented Jun 5, 2016

If the whole pcie hotplug feature could be blacklisted as a module, that would be great. I thought it was a module, but I see no sign of it now.
@marmarek
@rustybird

This comment has been minimized.

Show comment
Hide comment
@rustybird

rustybird Jun 5, 2016

While is some cases it is really good idea, some people depend on those ports, so we can't make this change distribution-wide.

They could still use the ports, only they'd have to plug their stuff in before the Linux kernel starts.

rustybird commented Jun 5, 2016

While is some cases it is really good idea, some people depend on those ports, so we can't make this change distribution-wide.

They could still use the ports, only they'd have to plug their stuff in before the Linux kernel starts.
@rustybird

This comment has been minimized.

Show comment
Hide comment
@rustybird

rustybird Jul 12, 2016

@marmarek:

FWIW, I've been running this setup in the last few weeks: Using a kernel with CONFIG_HOTPLUG_PCI disabled, when I need an ExpressCard I plug it in during GRUB (not before, in case it has an option ROM). Works very well, especially with flush-mount ExpressCards because those can be left in the slot without being a bother.

Isn't this a good trade-off between extensibility and security against a very quick physical attack?

rustybird commented Jul 12, 2016
edited
Edited 1 time
  • @rustybird rustybird edited Jul 12, 2016 (most recent)

@marmarek:

FWIW, I've been running this setup in the last few weeks: Using a kernel with CONFIG_HOTPLUG_PCI disabled, when I need an ExpressCard I plug it in during GRUB (not before, in case it has an option ROM). Works very well, especially with flush-mount ExpressCards because those can be left in the slot without being a bother.

Isn't this a good trade-off between extensibility and security against a very quick physical attack?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 16, 2016

Member

Ok, I'm for this change.
@rootkovska any reason to not do this?
Member

marmarek commented Jul 16, 2016

Ok, I'm for this change.
@rootkovska any reason to not do this?
@rootkovska

This comment has been minimized.

Show comment
Hide comment
@rootkovska

rootkovska Jul 16, 2016

Member

Sure, we should do that.
Member

rootkovska commented Jul 16, 2016

Sure, we should do that.

marmarek added a commit to marmarek/old-qubes-core-admin that referenced this issue Jul 18, 2016

@marmarek
Revert "core: detach PCI devices before shutting down VM" 
Many drivers, including iwlwifi doesn't handle this well, resulting in
oopses etc. Also we're disabling PCI hotplug, which may be result in
more troubles here.
This reverts commit 2658c9a.

QubesOS/qubes-issues#1673
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
521e96f

@marmarek marmarek closed this in marmarek/qubes-linux-kernel@55fb54a Jul 19, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 19, 2016

Member

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update
Member

marmarek commented Jul 19, 2016

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-fc23-cur-test label Jul 19, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 19, 2016

Member

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update
Member

marmarek commented Jul 19, 2016

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-fc24-cur-test label Jul 19, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 19, 2016

Member

Automated announcement from builder-github

The package kernel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update
Member

marmarek commented Jul 19, 2016

Automated announcement from builder-github

The package kernel-4.4.14-11.pvops.qubes has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-dom0-cur-test label Jul 19, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 28, 2016

Member

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 28, 2016

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.2-fc23-stable and removed r3.2-fc23-cur-test labels Jul 28, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 28, 2016

Member

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update
Member

marmarek commented Jul 28, 2016

Automated announcement from builder-github

The package kernel-devel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@marmarek marmarek added r3.2-fc24-stable and removed r3.2-fc24-cur-test labels Jul 28, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 28, 2016

Member

Automated announcement from builder-github

The package kernel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update
Member

marmarek commented Jul 28, 2016

Automated announcement from builder-github

The package kernel-4.4.14-11.pvops.qubes has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@marmarek marmarek added r3.2-dom0-stable and removed r3.2-dom0-cur-test labels Jul 28, 2016

@marmarek marmarek referenced this issue Nov 24, 2016

Open

Include all DMA-vulnerable controllers (FireWire, Thunderbolt, etc.) in sys-usb (or a separate domain) #2454

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment