grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: help installing grub-ima

From: Robert Millan
Subject: Re: help installing grub-ima
Date: Tue, 23 Oct 2007 22:17:13 +0200
User-agent: Mutt/1.5.13 (2006-08-11) 
On Tue, Oct 23, 2007 at 09:11:58AM -0500, Andrei E. Warkentin wrote:
> ...Because having the ability, to be certain you didn't have a  
> hypervirus or at runtime-binary-patched kernel booted due to a hacked  
> bootloader loading from something like a USB stick, is one step  
> towards "treacherous computing", whatever that is.

If you had any of the situations described, you wouldn't be able to trust
the APIs you use to access the Treacherous Chip at all.  The funny thing is
that third parties would [1], but not you.

[1] Well, assuming our hypervirus is not dumb, they would just see that
    your computer lacks a Treacherous Chip or is not using it, which is
    not very useful.  But of course, this has an easy solution:
    - Premise: everyone who's not on TC is therefore running an hypervirus
    - Consequence: let the witch hunt begin!  :-)

> I think the SELinux people might object to that. One of the biggest  
> problems with security in Linux is that the Linux kernel is not and  
> cannot be the core root of trust, as it is by far not the first thing  
> running and is not located on unmodifiable medium.

How can you trust your BIOS if you can't even read its source code, let
alone verify it was built from it?

> Man, those write-once read-many system-measurement registers are just  
> one step closer to losing the right to read, right?

It's obvious that with computers being general-purpose machines, they cannot
take away basic rights.  TC is specificaly designed [1] to take away these
rights and turn them into concessions.

[1] Yes, really.  If you disagree, please explain why the Owner Override
    proposal (http://www.linuxjournal.com/article/7055) was rejected.

> Or maybe to  
> actually be in control of your system from power-on to shell prompt?

Being in control is not the same as trusting someone else who claims to be.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What use is a phone call, if you are unable to speak?
(as seen on /.)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]