> neglected an IOMMU, so the baseband (or any other device on the bus) can wreak unlimited havoc
The Librem 5 doesn't need an IOMMU, because it uses separated components, and it uses serial buses (USB 2.0/3.0, SDIO, I2C and I2S) that don't allow direct memory access, so there is absolute no chance of the WiFi/BT, cellular modem, GNSS and USB controller being able to access the RAM or the SoC's cache
The USB URB structure have a field named 'dma_addr_t transfer_dma',
used for DMA access. I've abused that to chain vulnerabilities. To boot, it is possible to develop an I2C-B2C or SPI bus master which is capable of DMA toward the host memory. Linux 2.5 kernels and later, USB device drivers have additional control over how DMA may be used to perform I/O operations.
Do any of these guys actually read the hardware specs or do any real hardware hacking?
The USB URB structure have a field named 'dma_addr_t transfer_dma', used for DMA access. I've abused that to chain vulnerabilities. To boot, it is possible to develop an I2C-B2C or SPI bus master which is capable of DMA toward the host memory. Linux 2.5 kernels and later, USB device drivers have additional control over how DMA may be used to perform I/O operations.
Do any of these guys actually read the hardware specs or do any real hardware hacking?