Mitigating direct memory access (DMA) attacks
BIOS settings
Enable IOMMU. If this setting can’t be found, for Intel CPU, look for VT-d (Intel Virtualization Technology for Directed I/O); for AMD CPU, look for AMD-Vi (AMD I/O Virtualization Technology).
Linux
For Intel CPU
Add the following to the kernel boot parameters:
intel_iommu=on
For AMD CPU
IOMMU support is automatically enabled if IOMMU is enabled in the BIOS.
Verify that IOMMU is enabled
Run the following command:
sudo dmesg | grep -i IOMMU
Early boot protection
Mitigate DMA during very early boot before full IOMMU initialization by adding the following to the kernel boot parameters:
WarningThis is known to cause black screen with some GPUs. Prepare a fallback kernel without the parameter or get ready to perform system recovery before proceeding.
efi=disable_early_pci_dma
Apply:
sudo mkinitcpio -P
Thunderbolt and FireWire
These devices are vulnerable to DMA attacks. Disable the corresponding kernel modules by creating a modprobe configuration:
sudo nano /etc/modprobe.d/99-dma.conf
With the following content:
install firewire-core /bin/false
install thunderbolt /bin/false
Reboot. To check that the modules are not loaded:
lsmod | grep firewire
lsmod | grep thunderbolt
Windows
Verify that IOMMU is enabled
Search for and open System Information in the Start menu. At the bottom of System Summary, verify that Virtualisation-based security is running.
References
https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF
https://discuss.privacyguides.net/t/how-to-properly-enable-iommu-on-linux/26499/2
https://secureblue.dev/articles/kargs
ChatGPT