-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
In theory, my answer would be "IOMMU isolates Thunderbolt devices, so it
isn't a concern". But unfortunately practice can far from it:
1. As mentioned in the advisory, effective IOMMU isolation for
Thunderbolt is available in hardware produced in 2019+ only.
2. Configuring IOMMU for hot-pluggable devices is generally racy.
In Qubes we do disable PCI hotplug handling in kernel, but that's only a
small obstacle for the attacker, in many cases bypassable
- - unless proper IOMMU configuration is applied at the right time, in
many cases device can access host memory even if no driver is loaded
for it.
So, my advice would be to disable Thunderbolt until further notice.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl67OOYACgkQ24/THMrX
1yy7ggf9GIWc6+/lXO0P3TozLj7iIaBIUkZtT/OerXywiNivnPrRQ4Ybmmia/UQ+
mF07GsDBzxv6ZxSVEdw3YjGqJpwvVbb1fCXeeb7Nd98GpwKmzfbL07JKZ8Bkp1Mf
pYeEXfZk4MwVsGwwxJB7mjtWoaYMSFE391Ql/njquLFFCo70FPt+NN5yY+wuv5SA
KardT7UG0a5tn7IabyaAU7Bx7Q1rU9gZVvm6EHy//tSqxMw4VXhAmXo7uoeaUiUL
Bvq2ls/2B/eIbhm0HDv3cmDaeOUOYMaejdGkIvlhRxBzN5E4tOqrsrGxnpzpMFiI
3yTgFIL2gU1yCsniei7/9Gxbp8Te0A==
=iVxs
-----END PGP SIGNATURE-----