diff options
Diffstat (limited to 'docs/firewire.md')
| -rw-r--r-- | docs/firewire.md | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/firewire.md b/docs/firewire.md new file mode 100644 index 0000000..ad80bc9 --- /dev/null +++ b/docs/firewire.md @@ -0,0 +1,23 @@ +# Firewire + +Para evitar [dumps de memória via +firewire](http://links.sarava.org/tags/firewire), [este +artigo](http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation) +oferece a mitigação ideal via `/etc/modprobe.d/blacklist`: + + # Physical memory attacks via Firewire/DMA Mitigation + # Prevent automatic loading of the ohci1394 module. + blacklist ohci1394 + # Prevent manual loading of the ohci1394 module. + install ohci1394 false + # Iff we should ever load the ohci1394 module, force the use of the 'phys_dma=0' option. + options ohci1394 phys_dma=0 + +Depois dessa configuração, é preciso atualizar a `initrd` de cada sistema, através do comando + + update-initramfs -v -u + +Feito isso, o firewire pode ser desabilitado nos sistemas que estão rodando simplesmente com um + + rmmod ohci1394 + |