From 07d75df75ada34ef4b7de9cb07770b19251520f1 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sun, 1 Oct 2017 17:21:16 -0300
Subject: Change markdown extension to .md

---
 firewire.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 firewire.md

(limited to 'firewire.md')

diff --git a/firewire.md b/firewire.md
new file mode 100644
index 0000000..63ac7f4
--- /dev/null
+++ b/firewire.md
@@ -0,0 +1,23 @@
+[[!toc levels=4]]
+
+Firewire
+========
+
+Para evitar [dumps de memória via firewire](http://links.sarava.org/tags/firewire), [este artigo](http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation) oferece a mitigação ideal via `/etc/modprobe.d/blacklist`:
+
+    # Physical memory attacks via Firewire/DMA Mitigation
+    # Prevent automatic loading of the ohci1394 module.
+    blacklist ohci1394
+    # Prevent manual loading of the ohci1394 module.
+    install ohci1394 false
+    # Iff we should ever load the ohci1394 module, force the use of the 'phys_dma=0' option.
+    options ohci1394 phys_dma=0
+
+Depois dessa configuração, é preciso atualizar a `initrd` de cada sistema, através do comando
+
+    update-initramfs -v -u
+
+Feito isso, o firewire pode ser desabilitado nos sistemas que estão rodando simplesmente com um
+
+    rmmod ohci1394
+
-- 
cgit v1.2.3