In terms of security not having an IOMMU means you can be attacked via
DMA if someone has an exploit for one of your DMA capable peripherals
such as a network interface, usb controller, etc. Those two are the most
popular.
Of course an x86-64 platform with Intel ME or AMD PSP is still
vulnerable to DMA exploits due to the ME IOMMU bypass and various
"debugging" mode features such as the recent USB skylake hack.
ME/PSP can't be truly disabled, me cleaner simply "cleans" it and sets
the HAP bit - all the companies that purport to offer a "disabled" me
are simply using me cleaner and not actually disabling ME simply nerfing
it due to its tight integration with the CPU (it brings up the CPU and
provides power management) on a modern x86-64 device it can't be
disabled there isn't even any proof that using me cleaner truly improves
security or that there isn't another super secret hidden backdoor in the
kernel, mask rom ETC which me cleaner can't clean/nerf.
If google can't get intel to open source ME then no one can certainly
not purism riding on the coat-tails of real security researchers - a
modern x86-64 system will never be free without intervention from the OEMs.
If you want a computer that lacks this hardware backdoor your choices
are either POWER9 (an owner controlled performance CPU arch from IBM of
all companies), select ARM systems or of course the slightly older
pre-PSP AMD stuff such as AM3+, C32, G34, FT3.
Feel free to email me any questions.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/1a14419b-4a1e-39c7-006d-78aef417fc5a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
