lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47ACAF9C.6030003@s5r6.in-berlin.de>
Date:	Fri, 08 Feb 2008 20:38:04 +0100
From:	Stefan Richter <stefanr@...6.in-berlin.de>
To:	Bernhard Kaindl <bk@...e.de>
CC:	"H. Peter Anvin" <hpa@...or.com>, John Stoffel <john@...ffel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Maxim Levitsky <maximlevitsky@...il.com>,
	Ingo Molnar <mingo@...e.hu>, linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>
Subject: remote DMA via FireWire (was Re: [git pull] x86 arch updates for
 v2.6.25)

Bernhard Kaindl wrote:
> Regarding security:
> 
> On the software side: The new fw-ohci driver seems to allow physical DMA only
> to devices which pretend to be FireWire disks (it is the specified way to
> transfer the data)
...

To be precise, firewire-sbp2 tells firewire-ohci to open up the physical
response unit (which implements the remote DMA feature) for the target
node from when it tries the SBP-2 login until when it completes the
SBP-2 logout or the target is plugged out.  Let's call it filtered
physical DMA.

A mode which doesn't require the physical response unit could be
implemented in firewire-sbp2, but this would come with a considerable
overhead regarding code, runtime CPU usage due to huge interrupt
handling load, and additional runtime memory footprint.

The older sbp2 driver relies on unfiltered physical DMA, hence is less
secure.  There can be a mode selected at compile time to run without
physical DMA, but that's buggy and implemented in a way which is not
portable.

The only reason why we don't have an SBP-2 initiator which works without
remote DMA is that nobody is bothered enough to either debug that mode
in the old driver or implement it in the new driver.  Besides, we could
rather trivially add filtered physical DMA to the old
sbp2/ieee1394/ohci1394 stack but nobody took the time to do this yet either.

> With FireWire enabled by the BIOS, a hacker could (in theory) load his
> own operating system into the system RAM and boot it
...

x86 BIOSes don't initialize OHCI-1394 controllers up to the point that
its physical response unit were working remote nodes were granted access
to it.

Apple's OpenFirmware implements SBP-2 initiator but I don't know if it
uses the physical response unit.  But this point is moot --- you can
boot from SBP-2 targets.
-- 
Stefan Richter
-=====-==--- --=- -=---
http://arcgraph.de/sr/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ