[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: 'password' command in GRUB 2?

From: Vladimir 'phcoder' Serbinenko
Subject: Re: Re[2]: 'password' command in GRUB 2?
Date: Wed, 26 Aug 2009 19:32:37 +0200

On Wed, Aug 26, 2009 at 1:51 PM, Michal Suchanek<address@hidden> wrote:
> 2009/8/25 Vladimir 'phcoder' Serbinenko <address@hidden>:
>>> However, that CVE is about grub leaving its passwords in memory.
>>> Wiping memory used by grub should be fast - orders of magnitude faster
>>> than loading the OS kernel for example.
>> Actually this specific report is about BIOS leaving its keyboard
>> buffer - you can find BIOS password there too. As BIOS is proprietary
>> firmware whatever we do we can never ensure it being secure. Even the
> Even if many BIOSes leave their password there it's not reason to be as 
> sloppy.
Let me clarify my position:
1) If someone submits a patch with clean (E.g. shredding grub_free,
ensure there is no memory leak and a shredder for BIOS buffer) then I
would recomment to merge this patch
2) This is a considerable amount of work and not a priority.
3) It's not a reason to hold the release
> I am not particularly concerned about this issue but the BIOS
> typically requires a reboot after typing the password so if it is
> half-decently implemented it clears the buffer during initialization.
> If it does not it's not grub's concern, it should do its part by
> clearing its own sensitive data (if any).
Actually what was described in original link is exactly BIOS leaving data behind
> Thanks
> Michal
> _______________________________________________
> Grub-devel mailing list
> address@hidden

Vladimir 'phcoder' Serbinenko

Personal git repository:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]