Similar to Thunderbolt, supporting FireWire is dangerous as it allows Direct Memory Attacks, which are known to be actively used by more sophisticated attackers (https://wikileaks%5B.%5Dorg/spyfiles/files/0/293_GAMMA-201110-FinFireWire.pd...).
Since network hardware using FireWire is diminishing, and there is no other legitimate reason to use FireWire on an IPFire machine, dropping support for it looks reasonable to me.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 12 +--------- .../kernel.config.armv5tel-ipfire-multi | 12 +--------- config/kernel/kernel.config.i586-ipfire | 23 +------------------ config/kernel/kernel.config.x86_64-ipfire | 23 +------------------ 4 files changed, 4 insertions(+), 66 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index c616cbb85..03dc67c06 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1936,10 +1936,7 @@ CONFIG_DM_SWITCH=m # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_NETDEVICES=y CONFIG_MII=m @@ -3899,11 +3896,6 @@ CONFIG_VIDEO_SH_VEU=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set - -# -# Supported FireWire (IEEE 1394) Adapters -# -# CONFIG_DVB_FIREDTV is not set CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4550,7 +4542,6 @@ CONFIG_SND_BCD2000=m # CONFIG_SND_USB_PODHD is not set # CONFIG_SND_USB_TONEPORT is not set # CONFIG_SND_USB_VARIAX is not set -# CONFIG_SND_FIREWIRE is not set CONFIG_SND_SOC=m CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_AMD_ACP is not set @@ -5471,7 +5462,6 @@ CONFIG_STAGING=y # # CONFIG_STAGING_BOARD is not set CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 5280a6a62..fb667f367 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -2206,10 +2206,7 @@ CONFIG_DM_SWITCH=m # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_NETDEVICES=y CONFIG_MII=m @@ -4260,11 +4257,6 @@ CONFIG_VIDEO_TI_CSC=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set - -# -# Supported FireWire (IEEE 1394) Adapters -# -# CONFIG_DVB_FIREDTV is not set CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4966,7 +4958,6 @@ CONFIG_SND_BCD2000=m # CONFIG_SND_USB_PODHD is not set # CONFIG_SND_USB_TONEPORT is not set # CONFIG_SND_USB_VARIAX is not set -# CONFIG_SND_FIREWIRE is not set CONFIG_SND_SOC=m CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_AMD_ACP is not set @@ -5946,7 +5937,6 @@ CONFIG_STAGING=y # # CONFIG_STAGING_BOARD is not set CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 3e31119f6..7235b70f2 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -2107,10 +2107,7 @@ CONFIG_FUSION_LOGGING=y # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_MACINTOSH_DRIVERS=y # CONFIG_MAC_EMUMOUSEBTN is not set @@ -4119,12 +4116,6 @@ CONFIG_DVB_PLATFORM_DRIVERS=y # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set - -# -# Supported FireWire (IEEE 1394) Adapters -# -CONFIG_DVB_FIREDTV=m -CONFIG_DVB_FIREDTV_INPUT=y CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4880,17 +4871,6 @@ CONFIG_SND_USB_POD=m CONFIG_SND_USB_PODHD=m CONFIG_SND_USB_TONEPORT=m CONFIG_SND_USB_VARIAX=m -CONFIG_SND_FIREWIRE=y -CONFIG_SND_FIREWIRE_LIB=m -CONFIG_SND_DICE=m -CONFIG_SND_OXFW=m -# CONFIG_SND_ISIGHT is not set -CONFIG_SND_FIREWORKS=m -CONFIG_SND_BEBOB=m -CONFIG_SND_FIREWIRE_DIGI00X=m -CONFIG_SND_FIREWIRE_TASCAM=m -# CONFIG_SND_FIREWIRE_MOTU is not set -# CONFIG_SND_FIREFACE is not set CONFIG_SND_PCMCIA=y # CONFIG_SND_VXPOCKET is not set # CONFIG_SND_PDAUDIOCF is not set @@ -5608,7 +5588,6 @@ CONFIG_FB_SM750=m # Android # CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index f6953482f..0e56a0a69 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -2085,10 +2085,7 @@ CONFIG_FUSION_LOGGING=y # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_MACINTOSH_DRIVERS=y # CONFIG_MAC_EMUMOUSEBTN is not set @@ -4012,12 +4009,6 @@ CONFIG_VIDEO_SH_VEU=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set - -# -# Supported FireWire (IEEE 1394) Adapters -# -CONFIG_DVB_FIREDTV=m -CONFIG_DVB_FIREDTV_INPUT=y CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4719,17 +4710,6 @@ CONFIG_SND_USB_POD=m CONFIG_SND_USB_PODHD=m CONFIG_SND_USB_TONEPORT=m CONFIG_SND_USB_VARIAX=m -CONFIG_SND_FIREWIRE=y -CONFIG_SND_FIREWIRE_LIB=m -# CONFIG_SND_DICE is not set -CONFIG_SND_OXFW=m -# CONFIG_SND_ISIGHT is not set -CONFIG_SND_FIREWORKS=m -CONFIG_SND_BEBOB=m -CONFIG_SND_FIREWIRE_DIGI00X=m -CONFIG_SND_FIREWIRE_TASCAM=m -# CONFIG_SND_FIREWIRE_MOTU is not set -# CONFIG_SND_FIREFACE is not set CONFIG_SND_PCMCIA=y # CONFIG_SND_VXPOCKET is not set # CONFIG_SND_PDAUDIOCF is not set @@ -5472,7 +5452,6 @@ CONFIG_RTLWIFI_DEBUG_ST=y # Android # CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set
Good morning Peter,
since firewire hardware is basically non-existant for many many years I do not think that this patch drastically improved the security of the system.
If an attacker has physical access to the system, other attacks are possible, too, and firewire is not a necessity.
However, there is no reason left to actually compile this. It wastes more build power than it is useful.
So I can ack this:
Acked-by: Michael Tremer michael.tremer@ipfire.org
I suppose that again you didn't build this because there are no roofile changes?!
Best, -Michael
On Sat, 2020-07-25 at 19:46 +0000, Peter Müller wrote:
Similar to Thunderbolt, supporting FireWire is dangerous as it allows Direct Memory Attacks, which are known to be actively used by more sophisticated attackers ( https://wikileaks%5B.%5Dorg/spyfiles/files/0/293_GAMMA-201110-FinFireWire.pd... ).
Since network hardware using FireWire is diminishing, and there is no other legitimate reason to use FireWire on an IPFire machine, dropping support for it looks reasonable to me.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.aarch64-ipfire | 12 +--------- .../kernel.config.armv5tel-ipfire-multi | 12 +--------- config/kernel/kernel.config.i586-ipfire | 23 +--------------
config/kernel/kernel.config.x86_64-ipfire | 23 +--------------
4 files changed, 4 insertions(+), 66 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index c616cbb85..03dc67c06 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1936,10 +1936,7 @@ CONFIG_DM_SWITCH=m # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_NETDEVICES=y CONFIG_MII=m @@ -3899,11 +3896,6 @@ CONFIG_VIDEO_SH_VEU=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set
-# -# Supported FireWire (IEEE 1394) Adapters -# -# CONFIG_DVB_FIREDTV is not set CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4550,7 +4542,6 @@ CONFIG_SND_BCD2000=m # CONFIG_SND_USB_PODHD is not set # CONFIG_SND_USB_TONEPORT is not set # CONFIG_SND_USB_VARIAX is not set -# CONFIG_SND_FIREWIRE is not set CONFIG_SND_SOC=m CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_AMD_ACP is not set @@ -5471,7 +5462,6 @@ CONFIG_STAGING=y # # CONFIG_STAGING_BOARD is not set CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 5280a6a62..fb667f367 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -2206,10 +2206,7 @@ CONFIG_DM_SWITCH=m # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_NETDEVICES=y CONFIG_MII=m @@ -4260,11 +4257,6 @@ CONFIG_VIDEO_TI_CSC=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set
-# -# Supported FireWire (IEEE 1394) Adapters -# -# CONFIG_DVB_FIREDTV is not set CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4966,7 +4958,6 @@ CONFIG_SND_BCD2000=m # CONFIG_SND_USB_PODHD is not set # CONFIG_SND_USB_TONEPORT is not set # CONFIG_SND_USB_VARIAX is not set -# CONFIG_SND_FIREWIRE is not set CONFIG_SND_SOC=m CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_SOC_AMD_ACP is not set @@ -5946,7 +5937,6 @@ CONFIG_STAGING=y # # CONFIG_STAGING_BOARD is not set CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 3e31119f6..7235b70f2 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -2107,10 +2107,7 @@ CONFIG_FUSION_LOGGING=y # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_MACINTOSH_DRIVERS=y # CONFIG_MAC_EMUMOUSEBTN is not set @@ -4119,12 +4116,6 @@ CONFIG_DVB_PLATFORM_DRIVERS=y # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set
-# -# Supported FireWire (IEEE 1394) Adapters -# -CONFIG_DVB_FIREDTV=m -CONFIG_DVB_FIREDTV_INPUT=y CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4880,17 +4871,6 @@ CONFIG_SND_USB_POD=m CONFIG_SND_USB_PODHD=m CONFIG_SND_USB_TONEPORT=m CONFIG_SND_USB_VARIAX=m -CONFIG_SND_FIREWIRE=y -CONFIG_SND_FIREWIRE_LIB=m -CONFIG_SND_DICE=m -CONFIG_SND_OXFW=m -# CONFIG_SND_ISIGHT is not set -CONFIG_SND_FIREWORKS=m -CONFIG_SND_BEBOB=m -CONFIG_SND_FIREWIRE_DIGI00X=m -CONFIG_SND_FIREWIRE_TASCAM=m -# CONFIG_SND_FIREWIRE_MOTU is not set -# CONFIG_SND_FIREFACE is not set CONFIG_SND_PCMCIA=y # CONFIG_SND_VXPOCKET is not set # CONFIG_SND_PDAUDIOCF is not set @@ -5608,7 +5588,6 @@ CONFIG_FB_SM750=m # Android # CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index f6953482f..0e56a0a69 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -2085,10 +2085,7 @@ CONFIG_FUSION_LOGGING=y # # IEEE 1394 (FireWire) support # -CONFIG_FIREWIRE=m -CONFIG_FIREWIRE_OHCI=m -CONFIG_FIREWIRE_SBP2=m -# CONFIG_FIREWIRE_NET is not set +# CONFIG_FIREWIRE is not set # CONFIG_FIREWIRE_NOSY is not set CONFIG_MACINTOSH_DRIVERS=y # CONFIG_MAC_EMUMOUSEBTN is not set @@ -4012,12 +4009,6 @@ CONFIG_VIDEO_SH_VEU=m # Supported MMC/SDIO adapters # # CONFIG_SMS_SDIO_DRV is not set
-# -# Supported FireWire (IEEE 1394) Adapters -# -CONFIG_DVB_FIREDTV=m -CONFIG_DVB_FIREDTV_INPUT=y CONFIG_MEDIA_COMMON_OPTIONS=y
# @@ -4719,17 +4710,6 @@ CONFIG_SND_USB_POD=m CONFIG_SND_USB_PODHD=m CONFIG_SND_USB_TONEPORT=m CONFIG_SND_USB_VARIAX=m -CONFIG_SND_FIREWIRE=y -CONFIG_SND_FIREWIRE_LIB=m -# CONFIG_SND_DICE is not set -CONFIG_SND_OXFW=m -# CONFIG_SND_ISIGHT is not set -CONFIG_SND_FIREWORKS=m -CONFIG_SND_BEBOB=m -CONFIG_SND_FIREWIRE_DIGI00X=m -CONFIG_SND_FIREWIRE_TASCAM=m -# CONFIG_SND_FIREWIRE_MOTU is not set -# CONFIG_SND_FIREFACE is not set CONFIG_SND_PCMCIA=y # CONFIG_SND_VXPOCKET is not set # CONFIG_SND_PDAUDIOCF is not set @@ -5472,7 +5452,6 @@ CONFIG_RTLWIFI_DEBUG_ST=y # Android # CONFIG_LTE_GDM724X=m -# CONFIG_FIREWIRE_SERIAL is not set # CONFIG_LNET is not set # CONFIG_DGNC is not set # CONFIG_GS_FPGABOOT is not set
-
Michael Tremer -
Peter Müller