Hacker News new | past | comments | ask | show | jobs | submit login

Are these protections active before the kernel has booted?

Does DMA default to be off until enabled?

If firewire (and thunderbolt, expresscard) aren't DMA-free by default, then there's a time window before/during boot in which an attack could happen.

Full disk encryption/TPM/Secure Boot could help mitigate this though.




I am wondering myselves too.

  The new module parameter "remote_dma" (default = N, enable
  unfiltered remote DMA = Y) replaces the former build-time 
  option CONFIG_FIREWIRE_OHCI_REMOTE_DMA. (This kernel 
  configuration option was located in the "Kernel hacking" 
  menu, item "Remote debugging over FireWire with firewire-
  ohci".) It is therefore now possible to switch on RDMA at 
  runtime on all kernels with firewire-ohci loaded or built-in, 
  for example for remote debugging, without the need for a 
  custom build option.
from: https://ieee1394.wiki.kernel.org/index.php/Release_Notes#Lin...

I am not an expert in these matters, but could it be that OP is wrong with regarding to firewire? From what I am reading here is that dma is off by default, and can only be activated at runtime.

If the OP is right about the need to disable firewire, I hope someone could explain why so…




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: