Documenting the proposal for TPM 2.0 security in the face of bus interposer attacks

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Wed Nov 21 09:14:35 UTC 2018


On Wed, Nov 21, 2018 at 09:18:19AM +0200, Jarkko Sakkinen wrote:
> On Tue, Nov 20, 2018 at 10:42:01PM -0700, Jason Gunthorpe wrote:
> > > Why you wouldn't use DMA to spy the RAM?
> > 
> > The platform has to use IOMMU to prevent improper DMA access from
> > places like PCI-E slots if you are using measured boot and want to
> > defend against HW tampering.
> 
> Yes. This is what I wanted to point out. Windows 10 has VBS to
> achieve something like this.
> 
> https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

Some trials like Qubes are in existence (uses Xen).

I've been thinking should Linux have a thin hypervisor solely for VBS
like use in order to gain wider adoption.

/Jarkko



More information about the Linux-security-module-archive mailing list