Re: NetBSD's security features and hardening options

To: carderplanet@national.shitposting.agency
Subject: Re: NetBSD's security features and hardening options
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Wed, 17 Nov 2021 12:20:20 -0500

On Wed, Nov 17, 2021 at 10:06:10AM +0000, carderplanet@national.shitposting.agency wrote:
> 
> 4) efi=disable_early_pci_dma
> 
> This option fixes a hole in the above IOMMU by disabling
> the busmaster bit on all PCI bridges during very early boot.

Just one note - this is...how do I put it?  Highly aspirational.  The earliest
stages of the boot firmware have to get this exactly right; the kernel really
has no control.  Don't set this and go away with a false sense of security; if
every single component of the boot chain, including some which are earlier
than anything you or the kernel can touch, does not handle this perfectly then
there is still a window of opportunity which an attacker can exploit, and it
cannot really be usefully decreased such that it is unexploitable.

Thor

References:
- NetBSD's security features and hardening options
  - From: carderplanet

Prev by Date: NetBSD's security features and hardening options
Next by Date: hardlinks to setuid binaries
Previous by Thread: NetBSD's security features and hardening options
Next by Thread: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index