From 8c710b4f2329448b648274cf84a61318de270bb9 Mon Sep 17 00:00:00 2001 From: Evgeny Egorochkin Date: Sun, 13 Jan 2013 11:04:26 +0200 Subject: [PATCH] LuksRoot: mitigate DMA key recovery attacks by default. --- modules/system/boot/luksroot.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 27c9c85eab3d..4620a34cbcb8 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -49,6 +49,18 @@ in description = "Obsolete."; }; + boot.initrd.luks.mitigateDMAAttacks = mkOption { + default = true; + description = '' + Unless enabled, encryption keys can be easily recovered by an attacker with physical + access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. + More information: http://en.wikipedia.org/wiki/DMA_attack + + This option blacklists FireWire drivers, but doesn't remove them. You can manually + load the drivers if you need to use a FireWire device, but don't forget to unload them! + ''; + }; + boot.initrd.luks.devices = mkOption { default = [ ]; example = [ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]; @@ -123,6 +135,10 @@ in config = mkIf (luks.devices != []) { + # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested + boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks + ["firewire_ohci" "firewire_core" "firewire_sbp2"]; + # Some modules that may be needed for mounting anything ciphered boot.initrd.kernelModules = [ "aes_generic" "aes_x86_64" "dm_mod" "dm_crypt" "sha256_generic" "cbc" "cryptd" ];