Blocklist dangerous PCIe hotplugging modules that are not needed for supported use cases
Originally created by @cypherpunks on #11581 (Redmine)
The shpchp kernel module enables PCIe hotplugging, which enables DMA attacks. These are commonly used in the wild by law enforcement in order to obtain forensically valid snapshots of memory. Tails users have no need for PCIe hotplugging, so the shpchp driver should be disabled.
--- /etc/modprobe.d/no-shpchp.conf
+++ /etc/modprobe.d/no-shpchp.conf
@@ -0,0 +1 @@
+blacklist shpchp
Parent Task: #5451
Edited by cypherpunks