*countable infinities only
Gerry Reno
greno at verizon.net
Thu May 31 17:42:30 UTC 2012
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
> On Thu, May 31, 2012 at 12:22 PM, Gerry Reno <greno at verizon.net> wrote:
>> On 05/31/2012 01:19 PM, Jon Ciesla wrote:
>>> On Thu, May 31, 2012 at 12:16 PM, Gerry Reno <greno at verizon.net> wrote:
>>>> On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
>>>>> On Thu, May 31, 2012 at 1:07 PM, Gerry Reno <greno at verizon.net> wrote:
>>>>>> Could be any of a thousand ways to implement this.
>>>>>> Maybe it checks the BIOS to determine whether some SecureBoot flag is set.
>>>>> While it pains me to argue with someone on my side— you're incorrect.
>>>>> The compromised system would just intercept and emulate or patch out that test.
>>>> Then what's missing here is a way for booted OS's to test themselves for integrity.
>>> Maybe some sort of cryptographic signature stored in the hardware?
>>>
>>> <ducks>
>>>
>>> -J
>>>
>>> </sarcasm>
>>>
>> Just not dictated by one monopoly.
> Ideally, no. But you see the problem. I'm divided on the solution
> myself, but I've yet to see one I feel better about.
>
> -J
>
>
This game of cat and mouse with the blackhats is not going to end until we have some type of read-only partitions where
known good code resides.
And the user must hit a hardware button to enable read-write to change anything there.
We just keep pushing these blackhats to different layers. Next they'll be flashing our BIOSes and eliminating all
protections SecureBoot and otherwise.
.
More information about the devel
mailing list