Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Clarify DMA hardening

Browse Source
This commit is contained in:
Raja Grewal 2024-08-16 12:41:36 +10:00
parent be9308e490
commit e3a3207a44
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -161,8 +161,11 @@ configuration file.
- Provide the option to disable support for all x86 processes and syscalls to reduce
attack surface (when using Linux kernel version >= 6.7).
- Enable strict IOMMU translation to protect against DMA attacks and disable
the busmaster bit on all PCI bridges during the early boot process.
- Enable strict IOMMU translation to protect against some DMA attacks via the use
of both CPU manufacturer-specific drivers and kernel settings.
- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
DMA before the IOMMU is configured. May cause boot failure on certain hardware.
- Do not credit the CPU or bootloader as entropy sources at boot in order to
maximize the absolute quantity of entropy in the combined pool.

12
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -184,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
## Enable and force use of IOMMU translation to protect against DMA attacks.
## Enable and force use of IOMMU translation to protect against some DMA attacks.
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
## Ensures devices will never be able to access stale data contents.
##
@ -201,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
## Disable the busmaster bit on all PCI bridges during the early boot process.
## Patches weak points in some existing IOMMU implementations.
## May lead to issues such as complete system boot failure on certain devices.
## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
## Assumes that the motherboard chipset and firmware are not malicious.
## May cause complete boot failure on certain hardware with incompatible firmware.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
## https://mjg59.dreamwidth.org/54433.html