Skip to content

Blocklist dangerous PCIe hotplugging modules that are not needed for supported use cases

The shpchp kernel module enables PCIe hotplugging, which enables DMA attacks. These are commonly used in the wild by law enforcement in order to obtain forensically valid snapshots of memory. Tails users have no need for PCIe hotplugging, so the shpchp driver should be disabled.

--- /etc/modprobe.d/no-shpchp.conf
+++ /etc/modprobe.d/no-shpchp.conf
@@ -0,0 +1 @@
+blacklist shpchp

Parent Task: #5451

Original created by @cypherpunks on 11581 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information