Disable FireWire DMA
The kernel documentation reads (
The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with
CONFIG_FIREWIRE_OHCI_REMOTE_DMA[...] to get unfiltered physical DMA.
CONFIG_FIREWIRE_OHCI_REMOTE_DMAis not set in Debian's Linux 3.2.
- Only the new FireWire stack (
firewire-ohci) is shipped in Debian's Linux 3.2.
... Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.
Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html
Blacklisting + unloading
firewire_sbp2is apparently enough to make Tails immune.
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation
- Using physical DMA provided by OHCI-1394 FireWire controllers for debugging
wait for protect against external bus memory forensics (#5451).