Announcement

Collapse
No announcement yet.

Linux's Thunderbolt Manager Bolt 0.8 Adds IOMMU Protection

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Linux's Thunderbolt Manager Bolt 0.8 Adds IOMMU Protection

    Phoronix: Linux's Thunderbolt Manager Bolt 0.8 Adds IOMMU Protection

    Bolt, the Red Hat led project for managing Thunderbolt devices on Linux and their security, is out with their version 0.8 update to introduce better security for the growing number of Thunderbolt devices...

    Linux's Thunderbolt Manager Bolt 0.8 Adds IOMMU Protection - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Thunderbolt-Bolt-0.8-Released
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Will AMD processors work with TB technology one day?

    Comment

    • #3
      Bolt, the Red Hat led project for managing Thunderbolt devices on Linux
      Red Hat in here, Red Hat in there, Red Hat in everywhere!!
      • Likes 1

      Comment

      • #4
        Originally posted by Veske View Post
        Will AMD processors work with TB technology one day?
        The future is now, old man https://www.anandtech.com/show/14461...erbolt-10g-lan

        The ASRock X570 Creator is focused towards content creators with a range of high-end features including 10 G LAN, support for DDR4-4600, and dual Thunderbolt 3 Type-C ports.

        Also Thunderbolt 3 has folded into USB4 standard now.
        • Likes 3

        Comment

        • #5
          This is pretty cool, as DMA attacks are relatively easy to pull off given right hardware, and allow the attacker to do pretty much anything they want with the machine they took over. I've been scared of the possibility of someone getting access to my PCI bus and just wrecking whatever security I have.

          Comment

          • #6
            Originally posted by DoMiNeLa10 View Post
            This is pretty cool, as DMA attacks are relatively easy to pull off given right hardware, and allow the attacker to do pretty much anything they want with the machine they took over. I've been scared of the possibility of someone getting access to my PCI bus and just wrecking whatever security I have.
            And this doesn't change any of that. All it does is move part of the Thunderbolt implementation onto the CPU block. The IOMMU can still have bugs that have security implications regarding Thunderbolt DMA. The only way to "fix" this entirely is to put hot glue in your Thunderbolt port much like some more security conscious entities did back when IEEE-1394 was common on Macs and PCs. Otherwise, you have to depend on the OEM to get everything right. How much sleep you lose over it at night depends on what your likely security threats are. I personally sleep like a baby even with a TB port on my laptop. The likelihood of attack via malicious TB device on my personal laptop is practically non-existent.
            • Likes 2

            Comment

            • #7
              Originally posted by stormcrow View Post

              And this doesn't change any of that. All it does is move part of the Thunderbolt implementation onto the CPU block. The IOMMU can still have bugs that have security implications regarding Thunderbolt DMA. The only way to "fix" this entirely is to put hot glue in your Thunderbolt port much like some more security conscious entities did back when IEEE-1394 was common on Macs and PCs. Otherwise, you have to depend on the OEM to get everything right. How much sleep you lose over it at night depends on what your likely security threats are. I personally sleep like a baby even with a TB port on my laptop. The likelihood of attack via malicious TB device on my personal laptop is practically non-existent.
              In my case it's ExpressCard, and the thought of it is scary. I wonder whether simply enabling IOMMU support makes any change, or whether PCI ports are unrestricted by default.

              Also, I'm lucky enough to own hardware where I'm able to replace firmware with a more freedom respecting option, and at least attempt to neuter ME with me_cleaner. It's better than nothing.

              Comment

              • #8
                Originally posted by stormcrow View Post
                And this doesn't change any of that.
                Lol no don't post bullshit, layering defences is better than doing nothing.
                It does add one more step, now malware needs to be able to exploit IOMMU bugs too, and hope that there are in the target hardware.
                It's not impregnable as physically removing the port, but it is a great deal more secure than just leaving the port open, and you can still actually use the port.

                The likelihood of attack via malicious TB device on my personal laptop is practically non-existent.
                for now that thunderbolt hardware is limited to gold-plated stuff for Apple users.

                In a few years when USB4 and the "free Thunderbolt" become commonplace you can bet your backside that the first Thunderbolt "rubber ducky" will appear. It won't be as cheap as USB rubber duckies, but it will be far more powerful if the system does not protect itself.

                Comment

                • #9
                  Originally posted by starshipeleven View Post
                  for now that thunderbolt hardware is limited to gold-plated stuff for Apple users.
                  And Dell, Lenovo, Razer, MSI, ... everyone who makes high-end laptops essentially.

                  I'm using a Dell Thunderbolt USB-C docking station right now, actually. Although I have it plugged into a Lenovo T580.

                  Comment

                  • #10
                    Uh, how is Bolt (== userspace management daemon) actually tied into whether IOMMU is used, I thought that PCI internals management was strictly kernel purview? Or is it one of those mechanism/policy splits where kernel provides the functionality but does not enable it by default?

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X