On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett <matthewgarr...@google.com> wrote: > > From: Matthew Garrett <mj...@srcf.ucam.org> > > Any hardware that can potentially generate DMA has to be locked down in > order to avoid it being possible for an attacker to modify kernel code, > allowing them to circumvent disabled module loading or module signing. > Default to paranoid - in future we can potentially relax this for > sufficiently IOMMU-isolated devices.
Does this break vfio? --Andy