*countable infinities only
greno at verizon.net
Thu May 31 17:42:30 UTC 2012
On 05/31/2012 01:34 PM, Jon Ciesla wrote:
> On Thu, May 31, 2012 at 12:22 PM, Gerry Reno <greno at verizon.net> wrote:
>> On 05/31/2012 01:19 PM, Jon Ciesla wrote:
>>> On Thu, May 31, 2012 at 12:16 PM, Gerry Reno <greno at verizon.net> wrote:
>>>> On 05/31/2012 01:10 PM, Gregory Maxwell wrote:
>>>>> On Thu, May 31, 2012 at 1:07 PM, Gerry Reno <greno at verizon.net> wrote:
>>>>>> Could be any of a thousand ways to implement this.
>>>>>> Maybe it checks the BIOS to determine whether some SecureBoot flag is set.
>>>>> While it pains me to argue with someone on my side— you're incorrect.
>>>>> The compromised system would just intercept and emulate or patch out that test.
>>>> Then what's missing here is a way for booted OS's to test themselves for integrity.
>>> Maybe some sort of cryptographic signature stored in the hardware?
>> Just not dictated by one monopoly.
> Ideally, no. But you see the problem. I'm divided on the solution
> myself, but I've yet to see one I feel better about.
This game of cat and mouse with the blackhats is not going to end until we have some type of read-only partitions where
known good code resides.
And the user must hit a hardware button to enable read-write to change anything there.
We just keep pushing these blackhats to different layers. Next they'll be flashing our BIOSes and eliminating all
protections SecureBoot and otherwise.
More information about the devel