Disable FireWire DMA

The kernel documentation reads (debugging-via-ohci1394.txt):

The alternative firewire-ohci driver in drivers/firewire uses filtered physical DMA by default, which is more secure but not suitable for remote debugging. Compile the driver with CONFIG_FIREWIRE_OHCI_REMOTE_DMA […] to get unfiltered physical DMA.

Given:

1. CONFIG_FIREWIRE_OHCI_REMOTE_DMA is not set in Debian’s Linux 3.2.
2. Only the new FireWire stack (firewire-ohci) is shipped in Debian’s Linux 3.2.

… Tails seems to be immune from the physical memory attacks via FireWire/DMA we know.

Steve Weis was able to prove that wrong in practice: https://mailman.boum.org/pipermail/tails-dev/2012-October/001857.html

Blacklisting + unloading firewire_sbp2 is apparently enough to make Tails immune.

Resources

• Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update)
• Using physical DMA provided by OHCI-1394 FireWire controllers for debugging

wait for protect against external bus memory forensics (#5451).

Related issues

• Blocked by #5451

Original created by @tails on 5317 (Redmine)