• jlsalvador@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Caution disabling mitigations. Only enable on air-gap devices (devices without any connection, airplane mode).

    • Mkengine@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Do you mean I would have to execute the code for enabling and disabling every time I switch Wifi on and off? How severe is this, would it be okay to use it with wifi at home or does that not matter?

      • NGnius@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Ideally yes, though it would probably also require a reboot to apply. Realistically disabling security mitigations should only expose you to risk when you execute untrusted code (e.g. load a website, run an untrusted program, or etc.), but there’s no way of telling if someone could connect to your system using an exploit and then abuse those hardware security flaws.

        Consider your own risk tolerance – is it worth it to you to get that extra few % of performance and risk someone gaining access to information on your Deck (and/or using that information to access other sensitive information)? It might also be worth mentioning that most games aren’t 100% trustworthy since we don’t exactly know what they’re running since game studios don’t share their source code.

    • kadu@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Oh no! If I disable mitigations some hacker will use very specific exploits to try and extract random data from memory out of my Steam Deck! Oh my! That’s terrible, I store all my credentials on a volatile RAM drive on my Deck all the time!

      • jlsalvador@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Hehe. Or they could send a 0 to your fan velocity. Or flash/lock (setting the flash bit to 0) your BIOS through ACPI calls. Even stolen your Steam token credential. I saw an example that runs commands as a Systemd volatile user service. There are a few POCs on GitHub about recovery passwords from the browser (sand-boxed environment) for generic environments. I think that everyone here is old enough to understand the consequences of our acts.