Project

General

Profile

Feature #5317

Disable FireWire DMA

Added by Tails about 6 years ago. Updated about 5 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

The kernel documentation reads (debugging-via-ohci1394.txt):

The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with CONFIG_FIREWIRE_OHCI_REMOTE_DMA [...] to get unfiltered physical DMA.

Given:

  1. CONFIG_FIREWIRE_OHCI_REMOTE_DMA is not set in Debian's Linux 3.2.
  2. Only the new FireWire stack (firewire-ohci) is shipped in Debian's Linux 3.2.

... Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.

<blockquote>

Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html

Blacklisting + unloading firewire_sbp2 is apparently enough to make Tails immune.

</blockquote>

Resources

wait for protect against external bus memory forensics (#5451).


Related issues

Blocked by Tails - Feature #5451: Protect against external bus exploitation Confirmed 06/13/2015

History

#1 Updated by intrigeri about 6 years ago

  • Subject changed from disable firewire&#63; to disable FireWire DMA
  • Type of work changed from Wait to Code

#2 Updated by BitingBird about 5 years ago

  • Subject changed from disable FireWire DMA to Disable FireWire DMA
  • Starter set to No

Also available in: Atom PDF