[londons_explore]

The simple solution is memory isolation - let the modem be as insecure as you like, but anyone who breaks into the modem can only see your network traffic (hopefully all encrypted anyway) and nothing else.

Sadly todays qualcomm hardware has no real memory isolation at all - any bit of on-chip hardware can see all memory.

It isn't perfect, but it's far easier to do that than properly secure a multi-million lines of code codebase with a substantial amount of unpatchable hardware...

[baybal2]

There is an IOMMU on snapdragons, as the article says, but it is the IOMMU mapping itself which they attack.

This itself is kind of mind boggling how they let the device overwrite its own IOMMU configuration, effectively nullifying IOMMU's purpose, and its provided safeties.

It's like fencing your house with 10 meter high walls, but leaving the key lying in front of the gate.

[octoberfranklin]

So, like you say: they don't have an IOMMU, although they have some dingus which is called an "IOMMU".

[panpanna]

There is definitely memory protection in the modem. If nothing else because the code is so horrible it crashes all the time.

Three is even a hypervisor for hexagon but I don't think it is used.

[londons_explore]

As someone else said, it's not a security barrier between the ARM core and the radio hardware bits... It's more a tool for remapping stuff to make system design easier, and as a way of protecting against evil hardware outside the SoC.

I believe it can prevent the ARM core tampering with private radio hardware memory, but not the other way round.

[panpanna]

I think Qualcomm XPUs can be used as barriers (pretty much the same way SMMUs are used).

XPUs + hypervisor should be enough, assuming Qualcomm enables them and configures them correctly.