On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett <[email protected]> wrote: > > From: Matthew Garrett <[email protected]> > > Any hardware that can potentially generate DMA has to be locked down in > order to avoid it being possible for an attacker to modify kernel code, > allowing them to circumvent disabled module loading or module signing. > Default to paranoid - in future we can potentially relax this for > sufficiently IOMMU-isolated devices.
Does this break vfio? --Andy
