On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett <matthewgarrett@xxxxxxxxxx> wrote: > > From: Matthew Garrett <mjg59@xxxxxxxxxxxxx> > > Any hardware that can potentially generate DMA has to be locked down in > order to avoid it being possible for an attacker to modify kernel code, > allowing them to circumvent disabled module loading or module signing. > Default to paranoid - in future we can potentially relax this for > sufficiently IOMMU-isolated devices. Does this break vfio? --Andy
