Hacker News new | past | comments | ask | show | jobs | submit login

> Seems like encryption would disable all DMA.

So I see a number of possibilities here:

1. USB controller will have DMA enabled, but you'll get back unencrypted memory from the memory region allocated to the OS that initialized the USB controller (i.e. all your RAM if you only run one OS)

2. USB controller will have DMA enabled, but you'll get back encrypted data from memory (I think this is less likely)

3. DMA must be explicitly enabled by the OS, so until that occurs DMA will remain disabled.

The anandtech article does mention that OS modifications are necessary unless the encryption operated in Transparent mode (a setting in UEFI). In Transparent mode I would assume any DMA attacks which work today would continue to function since the behaviour of the platform is identical to previous processors.

Disclaimer: armchair speculation




> In Transparent mode I would assume any DMA attacks which work today would continue to function

That makes sense, DMA must be possible in transparent mode or otherwise nothing would work. Which also means there must be physical possibility for PCI devices to use the encryption engine.

However, I suspect that the only key ever available to PCI devices is the key of the host OS (if transparent mode is enabled) and encrypted guests can't use DMA to passed-through devices at all. Otherwise, the host could try to program a passed-through device while the guest isn't executing at the moment and mess with the guest's memory using DMA. If that's true, a simple solution to hide from DMA attacks is running inside an encrypted VM, assuming that they really got the design and implementation of this feature right.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: