1. 14

  2. 4

    Additionally, with appropriate use of IOMMUs, system stability is improved, as badly behaving hardware and drivers cannot crash the system.

    This is kind-of true but with currently shipping versions of PCIe (i.e. without IDE) there is no attestation of devices and no way to write an IOMMU policy based on anything trustworthy. PCIe devices assert their identity in a packet header, they can lie. Any PCIe device can impersonate any other device. This is what makes Thunderbolt particularly dangerous: the CPU and IOMMU have no way of telling apart your disk and a malicious device that wants to pretend to be your disk to DMA any data that you’ve exposed in the IOMMU for the disk controller.

    1. 1

      To me, the relevant thing that would merit this level of caution is approximately (feel free to substitute more relevant real world nouns): a bad actor, Dolores Umbridge, has somehow taken over control of Hogwarts, and most of us are very concerned about that. How can the Order of the Phoenix communicate, calculate, and scheme against these Death Eaters without blowing our cover?

      The most useful “Dolores Umbridge” defense is a maximally simple protocol based on commonly available software and gear. Convenience of use is relatively unimportant (the order of the phoenix is extrinsically motivated), but safety and correctness of use (“opsec easy mode”) is very important.

      How come so many people are interested in what I would categorize as “casual laptop use that can also defend against 3 letter agency attacks”, but few are working on a widely disseminated protocol for solving the Dolores Umbridge problem?

      The point is, it seems like if you push very far beyond “properly patched and configured laptop”, you quickly get into contingency planning more than dealing with a real day to day threat landscape. Maybe that’s worth a contingency plan, but I’m not sure it’s worth considering as a day-to-day threat.