On 07.03.2010 00:02, Stefan Reinauer wrote:
On 3/6/10 9:17 PM, ron minnich wrote:
On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger wrote:
Well, I implemented signature checking for coreboot (so that only signed payloads would be executed).
The big question is: Do you want to protect against
- someone with full hardware access (developer),
- someone sitting in front of the machine but without hardware access
(computer pool), 3. against evil malware (including rootkits)? I'd say the first category is pointless with current x86 hardware.
I agree completely.
Also, the question is what kind of privilege escalation can be caused by a security breach. While you can always solder a new flash chip on an x86 system these days you can still encrypt your data in order to protect (read) access.
It depends on the security model. If you store the encryption key in the ROM, people can read it out if they have hardware access. If there are protections in place against such readout, there is still the chance to rig something with the help of SerialICE.
3 is the biggest concern. For me, anyway. (2) is close however.
Someone sitting in front of the machine usually does have hardware access, so the differentiation is kind of artificial unless you count the people forgetting to bring soldering irons and screw drivers.
I hope someone questions/stops you if you decide to bring screwdrivers and a soldering iron to a shared student computer room and start taking apart one of the machines. Then again, doing this is basic social engineering, and if you are bold enough and ask loudly in that computer room for someone to assist you, most people will think the operation is entirely legit.
In the end, what we need is a detailed security model which includes a good understanding of the threat we want to protect against. Doing many "security things" is not a fix for anything, but a hand-tailored solution has the chance of addressing one given problem.
Regards, Carl-Daniel