[Whonix-devel] DRAMA countermeasures

bancfc at openmailbox.org bancfc at openmailbox.org
Sat Aug 27 21:05:55 CEST 2016



I had an interesting alternative in mind based on some of the other 
mitigation advice: blocking timing information as a possible solution.

With KVM, CPU instructions can be masked out by QEMU and not be 
available to guests. I already blacklisted clflush some time ago. The 
different variants of the tsc instruction are not passed through by 
default either.

All timers except acpi_pm are disabled too.

I was wondering how helpful all this is? and how much this remaining 
timer can aid attacks?

Are we in the clear if I figure out how to eliminate acpi_pm?


Details on acpi_pm precision:

"The ACPI Power Management Timer (or ACPI PMT) is yet another clock 
device included in almost all ACPI-based motherboards. Its clock signal 
has a fixed frequency of roughly 3.58 MHz. The device is actually a 
simple counter increased at each clock tick"

https://stackoverflow.com/a/7987771


More information about the Whonix-devel mailing list