Tag: kernel

Kernel and pre-boot DMA Protection

Kernel Direct Memory Access (DMA) Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. PCIe hot plug devices attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB. These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor’s involvement. This makes them susceptible to drive-by DMA attacks.

pre-boot DMA Protection enables equivalent DMA protection at the system BIOS level.

When DMA Protection is enabled
1. No devices can do DMA to the DMA protected device between BIOS POST complete and OS driver load.
2. During BIOS POST also the EFI device driver will make sure the device will work on a DMA remapped region.
3. Some OS will make sure the driver is loaded only when the system is unlocked.

Drive-by DMA attacks are attacks that occur while the owner of the system isn’t present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don’t require the disassembly of the device. In supply chain the attacker can install a temporary off-the-shelf hardware and exploit the system BIOS.

Source: Kernel DMA Protection – Windows Security

What is vm.min_free_kbytes and how to tune it?

vm.min_free_kbytes setting allows kernel to compute a minimum value in the low memmory zone and reserve it for its own use.

 

To read the current value

[Fri Mar 24 15:18:05 root@system:~]$sysctl vm.min_free_kbytes

vm.min_free_kbytes = 1888

To set new value of 4MB. Based on your system requirement configure the value. Ideally 1.8% is good enough.

echo 4096 > /proc/sys/vm/min_free_kbytes

To configure permenantly on every reboot add the below entry to /etc/sysctl.conf

vm.min_free_kbytes=4096

 

Source: What is vm.min_free_kbytes and how to tune it?

Linux 5.14 Mainline Should Work With The Raspberry Pi 400 – Phoronix

With the DeviceTree addition for the Raspberry Pi 400. No kernel driver changes were needed since it’s basically very close to the Raspberry Pi 4 but the updated DTS configuration is needed for the 1.8GHz clock rate, a different WiFi chip, power off handling via GPIO, and no ACT LED on the 400 model.

Source: Linux 5.14 Mainline Should Work With The Raspberry Pi 400 – Phoronix