Re: Flames over -- Re: Which is simpler? (Was Re: [Suspend2-devel]Re: [ 00/10] [Suspend2] Modules support.)

[Johannes Berg]

On Sun, 2006-02-12 at 13:28 -0500, Kyle Moffett wrote:

> /me reads spec. *sigh*  Whatever idiocy-committee wrote that spec was  
> clearly either smoking crack or living in a fantasy-world (or both).   
> An arbitrary unrestricted DMA bus is a massive and painfully obvious  
> security hole.  Can somebody _please_ shoot the guy that came up with  
> that brilliant idea?  At least it looks like it's not available if  
> the firewire modules aren't loaded, which means that you can prevent  
> that sort of attack, and my laptop luckily doesn't load those modules  
> at boot just to save a bit of memory.  

might not help since your firmware turns on the firewire port to enable
booting from firewire disks.

> Even still, that's just a  
> terrible idea.  Is there any practical way to restrict DMA and make  
> FireWire secure?

load the modules with phys_dma=0

johannes

Attachment: signature.asc
Description: This is a digitally signed message part