-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, May 12, 2020 at 05:36:07PM -0700, Brendan Hoar wrote: > On Tuesday, May 12, 2020 at 8:01:50 PM UTC-4, Marek Marczykowski-Górecki > wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On Tue, May 12, 2020 at 06:22:50AM -0700, bradbury9 wrote: > > > Looks like a new evil maid attack [1][2] that takes advantage of the > > > thunderbolt port is on the wild. > > > > > > I do recall Qubes OS had anti evil maid features. I wonder, are Qubes OS > > > protected against this new attack? > > > > > > [1]: > > https://www.schneier.com/blog/archives/2020/05/attack_against_2.html > > > [2]: > > https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ > > > > In theory, my answer would be "IOMMU isolates Thunderbolt devices, so it > > isn't a concern". But unfortunately practice can far from it: > > > > 1. As mentioned in the advisory, effective IOMMU isolation for > > Thunderbolt is available in hardware produced in 2019+ only. > > > > 2. Configuring IOMMU for hot-pluggable devices is generally racy. > > > > In Qubes we do disable PCI hotplug handling in kernel, but that's only a > > small obstacle for the attacker, in many cases bypassable > > - - unless proper IOMMU configuration is applied at the right time, in > > many cases device can access host memory even if no driver is loaded > > for it. > > > > So, my advice would be to disable Thunderbolt until further notice. > > > > Hmm... > > Well, if the attack requires that the thunderbolt chipset firmware be > compromised via *physical attack*, I suppose the attacker would also > compromise the UEFI/BIOS firmware during the physical attack, leaving the > UEFI/BIOS showing the device disabled, but...really, leaving it active > enough for attack.
In case of many laptops, OEMs enable BootGuard, which detects UEFI/BIOS modifications (and also prevents installing coreboot at the same time). So, this isn't that easy. UEFI/BIOS is quite complex piece of code, so it's quite possible to find some bug that allows attack it a different way. But it isn't as easy as directly modify it on the flash. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl67UpEACgkQ24/THMrX 1ywvfQf+MZCX6iuBGvdVAmHLr2leAy2Dp5WrcxH5jJByq7QjPE/PjvXpw8K1QjZd 2Wq7xr6YS162SDVbBCnJXjZEPoIfE276n/EHu3NVtbOlCmqvZ5lHN36AGSikxSPY jOZ0MImgy9sTbulE1cbc36Mp1WambMqobsNaQMnicorNakpXelEtDOXulRngMNT8 e23Z05+zvSb6jDib3IrmK8L+gkvA0Ymwzn8DtptEUe/22Hptdb7DJFQ3sMwBi8eC 8NYWmo3tCuS9KNFuzq/UriGpzJKdTj3qHBIb0t0UPoJKFYC6bAVlbMy90Jy3Dmvx lTrNAHPGIARY4P8EULFPTEJ+Y5VAqQ== =hWb3 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200513015113.GI1178%40mail-itl.
