On Tue, 26 Mar 2019 13:55:39 -0700 Andy Lutomirski <[email protected]> wrote:
> On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett > <[email protected]> wrote: > > > > From: Matthew Garrett <[email protected]> > > > > Any hardware that can potentially generate DMA has to be locked down in > > order to avoid it being possible for an attacker to modify kernel code, > > allowing them to circumvent disabled module loading or module signing. > > Default to paranoid - in future we can potentially relax this for > > sufficiently IOMMU-isolated devices. > > Does this break vfio? No, vfio provides its own interface to pci config space. Thanks, Alex
