Feat: migrate docs from Ikiwiki to MkDocs

author: Silvio Rhatto <rhatto@riseup.net> 2024-02-24 15:03:05 -0300
committer: Silvio Rhatto <rhatto@riseup.net> 2024-02-24 15:03:05 -0300
commit: c1b973a39a5be58eb4465603b971235ed7fedd4d (patch)
tree: 4cd1890930fa3ee59e244a9d963592a7b51979d4 /docs/firewire.md
parent: 3541adeafcdb79efdedc1f9d29a3bca15571c611 (diff)
download: padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.gz
padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.bz2
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/firewire.md b/docs/firewire.md
new file mode 100644
index 0000000..ad80bc9
--- /dev/null
+++ b/docs/firewire.md
@@ -0,0 +1,23 @@
+# Firewire
+
+Para evitar [dumps de memória via
+firewire](http://links.sarava.org/tags/firewire), [este
+artigo](http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation)
+oferece a mitigação ideal via `/etc/modprobe.d/blacklist`:
+
+    # Physical memory attacks via Firewire/DMA Mitigation
+    # Prevent automatic loading of the ohci1394 module.
+    blacklist ohci1394
+    # Prevent manual loading of the ohci1394 module.
+    install ohci1394 false
+    # Iff we should ever load the ohci1394 module, force the use of the 'phys_dma=0' option.
+    options ohci1394 phys_dma=0
+
+Depois dessa configuração, é preciso atualizar a `initrd` de cada sistema, através do comando
+
+    update-initramfs -v -u
+
+Feito isso, o firewire pode ser desabilitado nos sistemas que estão rodando simplesmente com um
+
+    rmmod ohci1394
+
author	Silvio Rhatto <rhatto@riseup.net>	2024-02-24 15:03:05 -0300
committer	Silvio Rhatto <rhatto@riseup.net>	2024-02-24 15:03:05 -0300
commit	c1b973a39a5be58eb4465603b971235ed7fedd4d (patch)
tree	4cd1890930fa3ee59e244a9d963592a7b51979d4 /docs/firewire.md
parent	3541adeafcdb79efdedc1f9d29a3bca15571c611 (diff)
download	padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.gz padrao-c1b973a39a5be58eb4465603b971235ed7fedd4d.tar.bz2