Date: Wed, 17 May 2006 20:47:08 +0200 (MEST)
From: Jan Engelhardt <jengelh@linux01.gwdg.de>
To: Avi Kivity <avi@argo.co.il>
cc: Joerg Pommnitz <pommnitz@yahoo.com>,
       Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: Wiretapping Linux?
In-Reply-To: <446B3082.1000200@argo.co.il>
Message-ID: <Pine.LNX.4.61.0605172045390.5095@yvahk01.tjqt.qr>
References: <20060517132503.79272.qmail@web51410.mail.yahoo.com>
 <446B3082.1000200@argo.co.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1256
Lines: 30

>> > A pci device can read system RAM and other memory-mapped PCI devices
>> > (such as display framebuffers) using DMA. In addition, a pci (but not
>> > pci-express) device can snoop on pci bus traffic to other devices.
>> > Typically, however, hard drive controllers will be integrated into the
>> > chipset so the data is not on the bus.
>> 
>> Thanks for providing this information. This makes the binary firmware
>> required for peripherals even more interesting for security conscious
>> people.
>
> Note that some machines have IOMMUs so it may be possible to prevent a device
> from reading main memory, perhaps at a performance cost.
>
> My AMD machine disables the IOMMU on startup.
>
> If you don't trust your hardware there are only two solutions: keep it off the
> net or keep it off.

It gets even more complex with remote management solutions, ranging from 
simple PCI boards that can reset the machine to fully-integrated [like 
Sun's RSC] processors that can poke anything.


Jan Engelhardt
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/