Disable FireWire DMA
The kernel documentation reads (debugging-via-ohci1394.txt
):
The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with
CONFIG_FIREWIRE_OHCI_REMOTE_DMA
[…] to get unfiltered physical DMA.
Given:
-
CONFIG_FIREWIRE_OHCI_REMOTE_DMA
is not set in Debian’s Linux 3.2. - Only the new FireWire stack (
firewire-ohci
) is shipped in Debian’s Linux 3.2.
… Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.
Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html
Blacklisting + unloading
firewire_sbp2
is apparently enough to make Tails immune.
Resources
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update)
- Using physical DMA provided by OHCI-1394 FireWire controllers for debugging
wait for protect against external bus memory forensics (#5451).
Related issues
-
Blocked by #5451
Original created by @tails on 5317 (Redmine)