Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Clarify DMA hardening

Browse Source
This commit is contained in:
Raja Grewal 2024-08-16 12:41:36 +10:00
parent be9308e490
commit e3a3207a44
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -161,8 +161,11 @@ configuration file.
- Provide the option to disable support for all x86 processes and syscalls to reduce - Provide the option to disable support for all x86 processes and syscalls to reduce
attack surface (when using Linux kernel version >= 6.7). attack surface (when using Linux kernel version >= 6.7).
- Enable strict IOMMU translation to protect against DMA attacks and disable - Enable strict IOMMU translation to protect against some DMA attacks via the use
the busmaster bit on all PCI bridges during the early boot process. of both CPU manufacturer-specific drivers and kernel settings.
- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
DMA before the IOMMU is configured. May cause boot failure on certain hardware.
- Do not credit the CPU or bootloader as entropy sources at boot in order to - Do not credit the CPU or bootloader as entropy sources at boot in order to
maximize the absolute quantity of entropy in the combined pool. maximize the absolute quantity of entropy in the combined pool.

12
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -184,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## ##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. ## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
## ##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
## Enable and force use of IOMMU translation to protect against DMA attacks. ## Enable and force use of IOMMU translation to protect against some DMA attacks.
## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
## Ensures devices will never be able to access stale data contents. ## Ensures devices will never be able to access stale data contents.
## ##
@ -201,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
## Disable the busmaster bit on all PCI bridges during the early boot process. ## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
## Patches weak points in some existing IOMMU implementations. ## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
## May lead to issues such as complete system boot failure on certain devices. ## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
## Assumes that the motherboard chipset and firmware are not malicious.
## May cause complete boot failure on certain hardware with incompatible firmware.
## ##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
## https://mjg59.dreamwidth.org/54433.html ## https://mjg59.dreamwidth.org/54433.html