[PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down

Andy Lutomirski luto at kernel.org
Tue Mar 26 20:55:39 UTC 2019


On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett
<matthewgarrett at google.com> wrote:
>
> From: Matthew Garrett <mjg59 at srcf.ucam.org>
>
> Any hardware that can potentially generate DMA has to be locked down in
> order to avoid it being possible for an attacker to modify kernel code,
> allowing them to circumvent disabled module loading or module signing.
> Default to paranoid - in future we can potentially relax this for
> sufficiently IOMMU-isolated devices.

Does this break vfio?

--Andy



More information about the Linux-security-module-archive mailing list