From bccacc7a4d6f9e177b6eb33e785a06252d77a5f7 Mon Sep 17 00:00:00 2001 From: Minifree Ltd Date: Sat, 30 Apr 2016 09:16:01 -0400 Subject: FAQ: update the entry related to HDD firmware IRC logs are unprofessional. Tweak the entry so that the information is presented in a proper paragraph. --- diff --git a/site/faq/index.php b/site/faq/index.php index 0c8fdb0..b525eb0 100644 --- a/site/faq/index.php +++ b/site/faq/index.php @@ -837,33 +837,35 @@ The following is based on discussion with Peter Stuge (CareBear\) in the coreboot IRC channel on Friday, 18 September 2015, when investigating whether the SATA drive itself can make use of DMA. The following is based on the datasheets linked above:

-

- <CareBear\> francis7 : so FIS type 39h is "DMA Activate FIS - Device to Host", which sounds interesting
- <CareBear\> "transfer of data from the host to the device"
- <CareBear\> "Upon receiving a DMA Activate, if the host adapter’s DMA controller has been programmed and armed, the host adapter shall initiate the transmission of a Data FIS and shall transmit in this FIS the data corresponding to the host memory regions indicated by the DMA controller’s context."
- <CareBear\> FIS is a protocol unit, frame information structure
- <CareBear\> so it seems that a drive can tell the host controller that it would like for DMA to happen, but actually unless the host software has already or will in the future set up this DMA transfer then nothing happens
- <CareBear\> oh, but the drive can also send DMA Setup
- <CareBear\>if a DMA Setup FIS is sent first, with the Auto-Activate bit set, then it is already set up, and the drive can initiate DMA
- <CareBear\> "First party DMA is a superset capability not neccessarily supported by legacy mode devices or legacy mode device drivers but essential for accommodating future capabilities." translation: if the problem isn't already there it will be shortly
- <CareBear\> "Upon receiving a DMA Setup, the receiver of the FIS shall validate the received DMA Setup request" - ie. the host is supposed to validate, but hey, maybe there's a bug there..
- <CareBear\> "The specific implementation of the buffer identifier and buffer/address validation is not specified." - so noone will actually bother
- <Basstard`> "the receiver of the FIS"
- <CareBear\> in the case we're considering that's the host controller hardware in the chipset and/or the kernel driver
- <CareBear\> most likely kernel driver
- <CareBear\> francis7 : all SATA devices have flash-upgradeable firmware
- That last part is important. The firmware can be upgraded from the OS.
- <CareBear\> the harddrive is a nice computer-in-the-computer because it also has persistent storage
- Regarding USB:
- <CareBear\> then the attack surface becomes much smaller, but assuming a malicious harddrive then it can still try to get angry with the operating system
- <CareBear\> a usb drive can e.g. send malformed USB descriptors (how the PS3 was broken)
- (he's talking about so-called 'fuzzing' attacks) -

+

+ According to those linked documents, FIS type 39h is "DMA Activate FIS - Device to Host". It mentions + "transfer of data from the host to the device, and goes on to say: + Upon receiving a DMA Activate, if the host adapter's DMA controller has been programmed and armed, the host adapter shall initiate the transmission of a Data FIS + and shall transmit in this FIS the data corresponding to the host memory regions indicated by the DMA controller's context." + FIS is a protocol unit (Frame Information Structure). Based on this, it seems that a drive can tell the host controller that it would like + for DMA to happen, but unless the host software has already or will in the future set up this DMA transfer then nothing happens. + A drive can also send DMA Setup. + If a DMA Setup FIS is sent first, with the Auto-Activate bit set, then it is already set up, and the drive can initiate DMA. + The document goes on to say "Upon receiving a DMA Setup, the receiver of the FIS shall validate the received DMA Setup request." - + in other words, the host is supposed to validate; but maybe there's a bug there. + The document goes on to say "The specific implementation of the buffer identifier and buffer/address validation is not specified" - so noone will actually bother. + "the receiver of the FIS" - in the case we're considering, that's the host controller hardware in the chipset and/or the kernel driver (most + likely the kernel driver). All SATA devices have flash-upgradeable firmware, which can usually be updated by running software in the operating system (e.g. GNU/Linux); + malicious software running as root could update this firmware, or the firmware could already be malicious. + Your HDD or SSD is the perfect place for a malicious adversary to install malware, because it's a persistent storage device as well as a computer. +

Based on this, it's safe to say that use of USB instead of SATA is advisable if security is a concern. USB 2.0 has plenty of bandwidth for many HDDs (a few high-end ones can use more bandwidth than USB 2.0 is capable of), but for SSDs it might be problematic (unless you're using USB 3.0, which is not yet usable in freedom. See #firmware-usbhost).

+

+ Use of USB is also not an absolute guarantee of safety, so do beware. The attack surface becomes much smaller, but a malicious drive could still + attempt a "fuzzing" attack (e.g. sending malformed USB descriptors, which is how the tyrant DRM on the Playstation 3 was broken, so + that users could run their own operating system and run unsigned code). + (you're probably safe, unless there's a security flaw in the USB library/driver that your OS uses. USB is generally considered one of the + safest protocols, precisely because USB devices have no DMA) +

Other links:

-- cgit v0.9.1