[ubuntu-hardened] Blacklisting modules: firewire-core and thunderbolt.

[daniel curtis]

Hello.

According to post-installation security hardening steps I would like to
globally disable 'firewire' and 'thunderbolt' modules, which can be used to
a direct memory access (DMA) attack. It is a type of side channel attack in
which an adversary penetrates a device by exploiting the presence of
high-speed expansion ports that permit Direct Memory Access.

Because I'm running 12.04 LTS release I would like to ask how can I achieve
this. Should I create, for example, /etc/modprobe.d/blacklist-dma.conf file
and add the following lines?:

blacklist firewire-core
blacklist thunderbolt

There is no such file and only one file (which is blaclist-firewire.conf)
contains lines related to firewire. It looks this way:

#blacklist firewire-ohci
#blacklist firewire-sbp2

Both are commented out. Can I blacklist 'firewire-core' and 'thunderbolt'
in this file? Generally my question is pretty simple: which method is okay?

Why would I do such thing? There is many reason. One of them is that a
security researcher has discovered a way to infect Macs with malware
virtually undetectable and that "can't be removed". It can be done via the
Thunderbolt port etc.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160424/35819293/attachment.html>