在 2019/2/17 下午5:02, Nico Huber 写道:
When you are sure that you want a lock, you still have to decide what kind of lock. And that depends on what you actually want to protect against (e.g. online attack by a compromised OS) and how much flexi- bility you are willing to sacrifice (e.g. online firmware updates).
Nico is right, and I personally like locks that can and should be unlocked with physical access during boot via some sort of authentication, so they are usually performed by payloads with authentication and programming capabilities.
You can see some boot-time-unlockable lock schemes here: https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/... , performed by a grub payload.
https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/... , performed by a modified heads payload.