[coreboot] Fwd: [FWD: Request for Chromebook Authentication Module Development]
ron minnich
rminnich at gmail.com
Tue Aug 1 17:31:16 CEST 2017
This doesn't make sense to me. By putting the PIN in memory you expose its
value at all steps in the delivery process. Chromebooks have a very good
mechanism for keys that can be personalized to an individual, see my talk
at last year's linuxconf in berlin where I showed how you can make a
chromebook boot only a chromeos you have signed personally.
Security is really hard to get right. I think you need to build on what's
in the chromebook, not design your own addon, because that's almost
certainly going to weaken security.
What are you trying to do here? Is the target software stack chromeos? Why
the PIN?
We may want to drop coreboot list off this discussion but there are so many
smart people on the coreboot list I wanted to give them a chance to respond
too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170801/4943558f/attachment.html>
More information about the coreboot
mailing list