Adam Agnew agnew@cs.umd.edu writes:
A lot of things like that in the description weren't implemented by choice. All we've done is to check elf image signatures so far. I think you'd agree that's the only part that was really necessary towards getting an operating system up in a trusted state. As long as you confine execution to elf images, you can continue to chain along.. As far as etherboot goes, same rules. No need to worry about individual packets. I'm just going to check the signature once it all arrives anyway.
Ok interesting. The implemented code base is quite different from the description in the patent :)
In the etherboot case there is a bit of vulnerability with respect to replay attacks where an attacker could trick the software into loading and old but buggy but previously signed image.
And the description does not address when the system has exploitable bugs. In particular systems like the X-box can be compromised with buffer overflows and other security standard security holes. Allowing an untrusted application to gain special privileges on the machine.
Right, we trust that the components are signed and therefor an authority intended to grant the component permission to run on the machine. It does not mean that we trust the new component not to break the chain of trust, or be bug ridden. Why, we even thought about "trusting" certain closed operating systems!
Yep, my main goal here was to understand the limitations. A lot of the noise you hear from other systems talking about trusted booting seems to promise the world.
Eric