PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Add discussion regarding mitigating DMA attacks

Browse Source
This commit is contained in:
Raja Grewal 2022-11-09 21:56:40 +11:00
parent 12a9d2958e
commit 83ce00f7f1
No known key found for this signature in database
GPG Key ID: 3AE213D7DCCA7CCB
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -273,6 +273,14 @@ As sources of initial entropy at boot, both the CPU and bootloader should be [di
random.trust_cpu=off random.trust_bootloader=off random.trust_cpu=off random.trust_bootloader=off
``` ```
Additionally, direct memory access (DMA) attacks can be [mitigateed](https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks) via IOMMU and previously mentioned kernel module disabling. Furthermore, [strict enforcement](https://github.com/Kicksecure/security-misc/blob/master/etc/default/grub.d/40_enable_iommu.cfg) of IOMMU TLB invalidation should be applied so devices will never be able to access stale data contents. Applying these kernel parameters is necessary:
```
intel_iommu=on amd_iommu=on efi=disable_early_pci_dma iommu.passthrough=0 iommu.strict=1
```
Note that disabling the busmaster bit on all PCI bridges during very early boot can cause complete boot failure on certain systems if they do not have adequate resources. Therefore, always ensure you have a fallback option to boot into the device.
### Restricting access to /proc and /sys ### Restricting access to /proc and /sys
You should read these 2 sections in Madaidan's guide to further reduce the attack surface on the kernel: You should read these 2 sections in Madaidan's guide to further reduce the attack surface on the kernel: