Linked by David Adams on Fri 2nd Mar 2012 16:03 UTC
Privacy, Security, Encryption When was the last time you reverse-engineered all the PCI devices on your motherboard?. . . Enters the game-changer: IOMMU (known as VT-d on Intel). With proper OS/VMM design, this technology can address the very problem of most of the hardware backdoors. A good example of a practical system that allows for that is Xen 3.3, which supports VT-d and allows you to move drivers into a separate, unprivileged driver domain(s). This way each PCI device can be limited to DMA only to the memory region occupied by its own driver.
Order by: Score:
Lennie
Member since:
2007-09-22

On most PC-systems graphics card and for example your NIC also have firmware that loads during startup. The main BIOS does that before it loads the OS.

So that also needs to be disabled or adopted to only allow access to certain parts of the system. Which means you'll need an open source BIOS.

I'm pretty sure at that stage using IOMMU/VT-d wouldn't work.

So you would need to have your own implementation of the graphics card BIOS. The NIC can handled later by the OS I would think.

Anyway good luck getting an open BIOS for your graphics card :-(

So there is probably only one solution for that: the open graphics project ?

They still seem to be at Phase I of their project.

The other solution is startup without graphics ofcourse...

Reply Score: 3

Luminair Member since:
2007-03-30

you are right, but to deal with this people can (and do) just dump their bios to a file and use that. but this field is totally new and underdeveloped and underdocumented and undertested, so you have to be a hacker to deal with it. but there it is.

it is wonderful that the software and hardware exist now to run linux, passthrough your graphics card to windows, and play virtualized games at full speed. the bad part is nobody normal is allowed to do it. domain of the nerds and all.

Reply Score: 2

Lennie Member since:
2007-09-22

I've been thinking some more about this and how does the "secure boot" UEFI deal with the graphics card firmware ?

I guess it uses some higher level interface ? Not the legacy one that needs a VGA-console.

So I was actually wrong.

I see that Linux 3.3 now also supports starting from EFI directly.

Reply Score: 2

Lennie Member since:
2007-09-22

I checked, the firmware that needs to be loaded of the devices like NIC and graphics card are signed just like the OS with different private/public keypairs.

Reply Score: 2

v Comment by Nico57
by Nico57 on Sat 3rd Mar 2012 00:16 UTC
RE: Comment by Nico57
by David on Sat 3rd Mar 2012 00:28 UTC in reply to "Comment by Nico57"
David Member since:
1997-10-01

Sorry. Read it on HN today and found it interesting.

Reply Score: 1

RE[2]: Comment by Nico57
by Nico57 on Sat 3rd Mar 2012 00:47 UTC in reply to "RE: Comment by Nico57"
Nico57 Member since:
2006-12-18

Hacker News?
I had never heard about this website, thanks for mentionning it.

Reply Score: 1

RE[2]: Comment by Nico57
by broken_symlink on Sat 3rd Mar 2012 01:05 UTC in reply to "RE: Comment by Nico57"
broken_symlink Member since:
2005-07-06

do you know how to get the hacker news rss feed to go to directly to the hacker news page, like how reddit's rss feed works? when i click on a hacker news article in my feed reader it goes directly to the linked page instead of the hacker news page with comments.

Reply Score: 2

RE[2]: Comment by Nico57
by boxy on Sat 3rd Mar 2012 04:40 UTC in reply to "RE: Comment by Nico57"
boxy Member since:
2011-06-20

Sorry. Read it on HN today and found it interesting.


The article is still as relevant today as it was then. I thought it was a great read. Thanks for this.

Reply Score: 2

RE[2]: Comment by Nico57
by renox on Sat 3rd Mar 2012 09:59 UTC in reply to "RE: Comment by Nico57"
renox Member since:
2005-07-06

It is interesting article.
Another interesting "fact" I've heard is that in many cases the IO-MMU was disabled because it was buggy.

I don't know if this is still the case now, but that's interesting, no?
Even if the CPU has an IO-MMU doesn't mean that it is used..

Reply Score: 2

It's definitely a concern
by benali72 on Sat 3rd Mar 2012 04:35 UTC
benali72
Member since:
2008-05-03

Hardware security from backdoors has been a concern of mine for some time because if you travel to China (as every businessperson learns) you will find that your items are not secure. Many business travellers find malware planted on their machines and foreign companies often have very strict policies employees must follow to avoid loss of IP.

I'd like to buy a Lenovo laptop running Linux sometime but given this background....

Thanks for the link because my guess is there might come a time when suddenly everyone gets very interested in this topic.

Reply Score: 0

RE: It's definitely a concern
by Kivada on Sat 3rd Mar 2012 05:03 UTC in reply to "It's definitely a concern"
Kivada Member since:
2010-07-07

Your best bet to get a laptop using CoreBoot to avoid the BIOS backdoors would be with begging the Linux only laptop companies like Zareason and System76. They would be the most likely to actually build specifically for maximum compatibility.

Reply Score: 2

RE[2]: It's definitely a concern
by Lennie on Mon 5th Mar 2012 10:59 UTC in reply to "RE: It's definitely a concern"
Lennie Member since:
2007-09-22

There are only very few laptops supported:

http://www.coreboot.org/Laptop

Reply Score: 2

RE: It's definitely a concern
by zima on Fri 9th Mar 2012 23:27 UTC in reply to "It's definitely a concern"
zima Member since:
2005-07-06

if you travel to China (as every businessperson learns) you will find that your items are not secure. [...]
I'd like to buy a Lenovo laptop running Linux sometime but given this background....


Your items are not secure anywhere, drop the silly China-bashing.

(me, I'd like to buy Intel or AMD based laptop, or any tech from UKUSA, but given such precedences... (pdf warning) "EUROPEAN PARLIAMENT [...] REPORT on the existence of a global system for the interception of private and commercial communications (ECHELON interception system)" http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML... )

Edited 2012-03-09 23:31 UTC

Reply Score: 2

IOMMU
by fithisux on Sat 3rd Mar 2012 11:50 UTC
fithisux
Member since:
2006-01-22

is the next big thing to hardware. It makes the uKernel designs easier and virtualization also is neater. I am eager to buy a motherboard+cpu with IOMMU. It seems expensive though. Hopefully we will se an Atom with IOMMU but it seems that they keep it for more expensive products. Personally I believe that IOMMU must become the norm (virtualization extensions come second).

Reply Score: 2

Not sure...
by Neolander on Sun 4th Mar 2012 09:06 UTC
Neolander
Member since:
2010-03-08

I'm not sure if IOMMUs represent that big of a defense against hardware backdoors. Here is why :

Let's say that I buy a laptop from a shady vendor. Like with any laptop, the hardware inside of it is pretty much a perfect black box to me. What makes me sure that all hardware on my motherboard will be connected to the memory bus through an IOMMU ? What prevents the laptop manufacturer (or someone else in the manufacturing chain) from just putting a "spy chip" directly on the memory bus, invisible to the OS ?

Now, I'm not saying that IOMMUs are useless for security. When using insecure external interfaces that let any peripheral access all physical memory, such as Firewire or Thunderbolt*, IOMMUs can prevent a simplistic and hot-pluggable "pen drive" from completely busting OS security. If you can trust your computer, then IOMMUs allow you not to trust what you plug in it, which is already something.

Also, security aside, IOMMUs are a great tool for virtualization.


* As far as I know, USB has no such vulnerability. Operating systems should, however, make sure that USB packets coming from devices are standard-compliant if they want to avoid the PS3's tragic fate (more details here : http://www.scribd.com/doc/51635014/BlackHat-DC-2011-Larimer-Vulnera... )

Edited 2012-03-04 09:12 UTC

Reply Score: 2