20 Nov
2016
20 Nov
'16
2:08 a.m.
Hi Tobias,
Tobias Wegner wrote:
'badusb' One of our main security targets is to stop boot sector attacks.
Then use a payload which ignores MBR, such as FILO, Linux or GRUB. Almost anything except SeaBIOS.
Given your focus on USB, a Linux payload with custom initramfs is especially interesting. Then you can do this as part of the boot process:
for bus in /sys/bus/usb/devices/usb*; do echo 0 > $bus/authorized_default; done
And of course use standard utilities both to interact with TPM if you like, and to check signatures of follow-up code executed after the initramfs.
//Peter