Blocklist dangerous PCIe hotplugging modules that are not needed for supported use cases
The shpchp kernel module enables PCIe hotplugging, which enables DMA attacks. These are commonly used in the wild by law enforcement in order to obtain forensically valid snapshots of memory. Tails users have no need for PCIe hotplugging, so the shpchp driver should be disabled.
--- /etc/modprobe.d/no-shpchp.conf
+++ /etc/modprobe.d/no-shpchp.conf
@@ -0,0 +1 @@
+blacklist shpchp
Parent Task: #5451
Original created by @cypherpunks on 11581 (Redmine)