It does
It does
Posted Jan 11, 2013 10:10 UTC (Fri) by epa (subscriber, #39769)In reply to: It does by renox
Parent article: Attacking full-disk encryption with Inception
But you are saying that the *disk* gets to choose which part of the host's memory to write to, and organizes the DMA itself?
Posted Jan 11, 2013 12:24 UTC (Fri)
by cladisch (✭ supporter ✭, #50193)
[Link] (1 responses)
Yes; the disk gets told by the disk driver the address which it should write to.
> and organizes the DMA itself?
The disk device just sends a packet with a specific address to the host.
This address usually works similar to the port number in TCP/IP, i.e., the controller writes the packet into a buffer configured by the driver, and the host's FireWire software stack uses the address to determine which driver/application gets to handle the packet.
However, as an optimization, FireWire controllers can be configured by the driver to handle certain packets from certain devices differently, by writing them to the physical memory address specified in the packet itself.
Posted Jan 11, 2013 16:19 UTC (Fri)
by epa (subscriber, #39769)
[Link]
Posted Jan 11, 2013 16:36 UTC (Fri)
by etienne (guest, #25256)
[Link] (5 responses)
Well, if you are queuing different reads from the disk, and the disk decides himself in which order it does them, it will have to synchronise to the DMA controller in maybe complex ways to write the right sector at the right place...
Posted Jan 12, 2013 1:13 UTC (Sat)
by butlerm (subscriber, #13312)
[Link] (4 responses)
Posted Jan 14, 2013 10:14 UTC (Mon)
by etienne (guest, #25256)
[Link] (1 responses)
Posted Jan 14, 2013 11:19 UTC (Mon)
by dlang (guest, #313)
[Link]
with firewire this doesn't take hacking the card, it's a normal mode of operation.
Posted Jan 16, 2013 13:25 UTC (Wed)
by epa (subscriber, #39769)
[Link] (1 responses)
Posted Jan 17, 2013 16:39 UTC (Thu)
by cladisch (✭ supporter ✭, #50193)
[Link]
The three transport protocols where SCSI can use some form of remote DMA are FireWire, InfiniBand, and iWARP.
It does
It does
The disk device just sends a packet with a specific address to the host.
Surely not - the disk sends a packet to the SCSI controller, and then the SCSI controller writes into the host's memory. (Unless this is just a question of terminology)
However, as an optimization, FireWire controllers can be configured by the driver to handle certain packets from certain devices differently, by writing them to the physical memory address specified in the packet itself.
I see - that is the root of this vulnerability. Clearly if devices can be plugged in externally, that optimization needs to be disabled.
It does
So the IDE/AHCI interface stores the address to read/write to with the sector requested from the disk, and will DMA to that address.
If you have a PCI card which pretends to be a IDE/AHCI card it will be able to DMA everywhere. PCMCIA cards probably can do that.
If you want to do secured DMA, you would need to manage (quickly) all these blocks *and* synchronise with IDE/AHCI (considering read/write retries), I do not think Linux does that.
No it doesn't
No it doesn't
Same for a hacked IDE adapter, and mostly for PCMCIA/CardBus card accessible on a lot of PC without opening the box.
No it doesn't
No it doesn't
There isn't a SCSI interface on the planet where a SCSI disk instructs the SCSI host adapter which host memory address to write to. Nor an IDE/ATA/SATA one for that matter. That would be insane.
Right. But apparently Firewire does have that design flaw?
No it doesn't
>
> But apparently Firewire does have that design flaw?