https://www.qubes-os.org/doc/user-faq/#can-i-install-qubes-on-a-system-without-vt-d
"an attacker could always use a simple DMA attack to go from the NetVM to Dom0"
So what does this mean though..?
Can they launch this DMA attack from a compromised App VM..?
Could they simply do a browser exploit in an App VM, and then do a DMA attack from there to go to dom0..?
Or is it a lot harder than that..?
I'm just trying to work out whether it's really worth buying a new laptop just to get VT-D.... I currently have VT-X, but not VT-D.
I guess its up to your budget man. Maybe this will help you decide. http://theinvisiblethings.blogspot.com/2010/04/remotely-attacking-network-cards-or-why.html
I'm no expert but I'll try to answer your questions.
DMA generally means malware put in the network card or graphics card to get direct memory access. In other words malware going straight from the piece hardware bypassing the operating system software to use, or retrieve, or manipulate the running memory directly.
Its not a browser exploit unless somehow the browser exploits and infects the graphics card which is highly unlikely in qubes since most of the gpu functions is limited to dom0 and not in the appvm where you would be running your browser.
The main benefit would be to try and prevent dma attacks from the network card and the netvm, which receives all the packets from the internet, and which qubes considers always unsafe. How hard is it? Probably not as hard as infecting the gpu card, and well i'm only a noob but I doubt its very easy. Its probably something that would happen from a more personal or targeted attack, not something random. But then again this is 2016 so who knows lol.
Or can they be sent just purely over the internet itself to any device connected to the web...? Directly send packets just over the web?
Or does it require attacking the Net VM, and not just the App VM... however that would be done...?
I'm just trying to figure out FROM WHERE the network card could be attacked.
all network packets go to your network card. I'm not sure what you mean? It can be attacked from anywhere in the world wide web.
I guess you are asking me specifically how? I dunno man i'm a noob. I guess there is many ways, for example reverse shell from buggy dhclient or icmp packet. or who the heck knows. Probably too many possibilities to list. Joannas blog mentioned poc from buffer overflow.
Anothing thing to consider is you have to trust the intel firmware sometimes.
I guess I would also assume wireless network card to be more vulnerable, but maybe someone more expert can reply.
Just like you create a USB qube, to isolate USB from dom0
But still.. no one has ever shown a proof of concept for this... You see plenty of videos of people exploiting browsers with Metasploit... but no videos of anyone doing DMA attacks
Still, I take Joanna's word for it that it's a real thing.
maybe just a MITM, maybe your infected router infecting your netcard. I mean I really don't know there is many possibilities on where the malicious packet is coming from.
I don't really think attack would be coming from an infected appvm, which should be noted is also not easy to make persistent. But it is possible for an infected appvm to then infect netvm and then change your netcard firmware I guess. again not as easy as just that magic packet coming from god knows where to your very vulnerable network card.
You know what, get the iommu machine, its also not 100% (nothing is) but it would make it alot harder.
there is many poc's, do some google searching. How likely to happen to yourself? I woudln't know. Most likely a very persistent person personally targeting you, but in 2016 I consider us all targets, and no I don't mean by the government... I'm super paranoid though thats why I'm using qubes lol.
But yes you are correct just like when creating a usb qube.
I think qubes is also working on being able to have like an onboard gpu isolated only to dom0, and other gpu for domu appvms. But most people just want that for gpu passthrough which doesn't nescessarily = security for me but I'm very nooby user.
Perhaps this should even be posted somewhere on the QUBES website.
I think that's convinced me that I definitely need to get VT-D.