DMA

Mitigating direct memory access (DMA) attacks

Mitigating direct memory access (DMA) attacks

BIOS settings

Enable IOMMU support.

Enable IOMMU

For Intel CPU

Add the following to the kernel boot parameters:

intel_iommu=on

For AMD CPU

IOMMU support is automatically enabled if IOMMU is enabled in the BIOS

Check that IOMMU is enabled

Run the following command:

sudo dmesg | grep -i IOMMU

Early boot protection

Mitigate DMA during very early boot before full IOMMU initialization by adding the following to the kernel boot parameters:

⚠️ Warning

This is known to cause black screen with some GPUs. Prepare a fallback kernel without the parameter or get ready to perform system recovery before proceeding.

efi=disable_early_pci_dma

Apply:

sudo mkinitcpio -P

Thunderbolt and FireWire

These devices are vulnerable to DMA attacks. Disable the corresponding kernel modules by creating a modprobe configuration:

sudo nano /etc/modprobe.d/99-dma.conf

With the following content:

install firewire-core /bin/false
install thunderbolt /bin/false

Reboot. To check that the modules are not loaded:

lsmod | grep firewire
lsmod | grep thunderbolt

References

https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks

https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF

https://discuss.privacyguides.net/t/how-to-properly-enable-iommu-on-linux/26499/2

https://secureblue.dev/articles/kargs

ChatGPT

Linux
Code licensed under the MIT License; all other content under CC BY-SA 4.0.
Last updated on Mar 03, 2026 16:58 UTC
© 2025 - 2026 Barn of Bigstool
Built with Hugo
Theme Stack designed by Jimmy