Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upInclude all DMA-vulnerable controllers (FireWire, Thunderbolt, etc.) in sys-usb (or a separate domain) #2454
Comments
andrewdavidwong
added
C: core
enhancement
labels
Nov 23, 2016
andrewdavidwong
added this to the Far in the future milestone
Nov 23, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Nov 24, 2016
Member
For all the devices which appears as new PCI (at least PC Card and ExpressCard), we have disabled hotplug support by default: #1673
It doesn't fully solve the problem, but largely limit its scope. Some malicious device still could be plugged in before user power on the machine. Require device being small enough to be unnoticed, but this isn't hard to achieve.
|
For all the devices which appears as new PCI (at least PC Card and ExpressCard), we have disabled hotplug support by default: #1673 |
andrewdavidwong
added
help wanted
P: minor
labels
Nov 25, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
euidzero
Mar 1, 2018
Can't thunderbolt security levels be used to allow hotpluging of trusted devices ?
https://christian.kellner.me/2017/12/14/introducing-bolt-thunderbolt-3-security-levels-for-gnulinux/
euidzero
commented
Mar 1, 2018
|
Can't thunderbolt security levels be used to allow hotpluging of trusted devices ? |
andrewdavidwong commentedNov 23, 2016
Since FireWire, Thunderbolt, PC Card, ExpressCard, PCI, PCI-X, etc. are all potentially vulnerable to DMA attacks, we should consider isolating those controllers in the default sys-usb, or a separate domain, by default (if the user chooses this option during installation).
Related issues:
#1743