[tptacek]

I skimmed the paper and while the research looks solid, just in terms of the digging they did and the documentation they're providing, this website really buries its lede: if you've got a Macbook running macOS, the Macbook IOMMU breaks the DMA attack, which is the thing you're actually worried about here.

Additionally, regardless of the OS you run, Macbooks aren't affected by the Security Level/SPI flash hacks they came up with to disable Thunderbolt security.

[AceJohnny2]

Last time Tunderbolt was broken (Thunderclap [1]), it was found that the Linux driver didn't activate the IOMMU. I assume that's since been fixed.

[1] https://lwn.net/Articles/782381/

[microtonal]

It seems to do that now:

https://christian.kellner.me/2019/07/09/bolt-0-8-with-suppor...

[fulafel]

What's the relationship of the "bolt" project with the default driver support in Linux?

[redactions]

This only holds for Macbooks running MacOS. It will not be protected by the IOMMU if the system uses Bootcamp with Windows or another operating system such as Linux.

[fomine3]

Windows 10 also supports Kernel DMA protection by IOMMU. Win10 on Macbooks not work for it?

[redactions]

No, Bootcamp enabled operating systems do not have the same protections as MacOS on the very same hardware. Apple says to use MacOS if you want (IOMMU+kDMA) security protections.

[ogre_codes]

Yes, buries the lede indeed.

"THUNDERBOLT IS HOPELESSLY INSECURE AND BROKEN!!"

blah

blah

blah

blah

* except on 90% of computers shipping with Thunderbolt.

Windows PC makers were much later to TB3 and even now only ship it on a small percentage of their computers. I'm not even sure there is a Linux out of the box system with TB3 support.

[oefnak]

Dell XPS 15 can ship with Linux.

[ogre_codes]

I should have figured the machines with a Linux option would be the higher end ones for developers, makes sense from a lot of perspectives. Just didn't really look.