Open andrewdavidwong opened 7 years ago
marmarek
commented
7 years ago For all the devices which appears as new PCI (at least PC Card and ExpressCard), we have disabled hotplug support by default: #1673 It doesn't fully solve the problem, but largely limit its scope. Some malicious device still could be plugged in before user power on the machine. Require device being small enough to be unnoticed, but this isn't hard to achieve.
euidzero
commented
6 years ago Can't thunderbolt security levels be used to allow hotpluging of trusted devices ? https://christian.kellner.me/2017/12/14/introducing-bolt-thunderbolt-3-security-levels-for-gnulinux/
andrewdavidwong
commented
6 years ago @DemiMarie has suggested that this also include SD card readers (#4235).
3hhh
commented
5 years ago For reference: Re-enabling PCIE hotplug can expose Qubes OS to various DMA attacks if not carefully done.
DemiMarie
commented
5 years ago I think the problem is actually rather simple for QubesOS.
My threat model is:
Xen only needs to make IOMMU assignments at VM startup and shutdown. Both of these are slow anyway.
Also, switching to seL4 (once that becomes possible) would obviate the attack: seL4 will have formally-verified IOMMU management by the time it becomes usable in a system like QubesOS.
On Thu, Mar 21, 2019, 10:46 AM 3hhh notifications@github.com wrote:
For reference: Re-enabling PCIE hotplug can expose Qubes OS to various DMA attacks if not carefully done.
- Without #2841 https://github.com/QubesOS/qubes-issues/issues/2841 devices could e.g. play to be an Intel GPU and bypass IOMMU.
- Many OSes apparently incorrectly implemented the PCIE IOMMU setup for hotplugging in the past [1].
- Options such as ATS essentially made bypassing the IOMMU trivial [1]. ATS is currently disabled in Qubes OS.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/QubesOS/qubes-issues/issues/2454#issuecomment-475259186, or mute the thread https://github.com/notifications/unsubscribe-auth/AGGWB4942wrZmwhjadKtoQU1KVgLyq4Sks5vY5tHgaJpZM4K7GO8 .
andrewdavidwong
commented
4 years ago For all the devices which appears as new PCI (at least PC Card and ExpressCard), we have disabled hotplug support by default: #1673 It doesn't fully solve the problem, but largely limit its scope.
Sounds like this may not be working correctly. A user has reported:
On the Thinkpad X230 inserting an microSD card into the reader slot will auto attach it to Dom0.
Seems like a weird decision but I am not that informed on info-sec.
marmarek
commented
4 years ago Card reader was always there, inserting a card into a reader isn't the same as connecting PCI card reader itself. Especially - card itself cannot issue DMA, while (PCI) card reader can. BTW "PC Card" and "ExpressCard" are totally different things than "SD card". The former are hot-plugable PCI devices (which can do basically anything), the later is just storage medium.
So, while attaching SD card reader to a specific qube by default may be a good idea, it is a separate feature request.
andrewdavidwong
commented
4 years ago Card reader was always there, inserting a card into a reader isn't the same as connecting PCI card reader itself. Especially - card itself cannot issue DMA, while (PCI) card reader can. BTW "PC Card" and "ExpressCard" are totally different things than "SD card". The former are hot-plugable PCI devices (which can do basically anything), the later is just storage medium.
So, while attaching SD card reader to a specific qube by default may be a good idea, it is a separate feature request.
Ok, my mistake. Thanks for the clarification. I've reopened #2055 for the separate request.
Since FireWire, Thunderbolt, PC Card, ExpressCard, PCI, PCI-X, etc. are all potentially vulnerable to DMA attacks, we should consider isolating those controllers in the default sys-usb, or a separate domain, by default (if the user chooses this option during installation).
Related issues:
1743