On 2012/09/20 19:38, JD wrote:
On 09/20/2012 07:56 PM, Eddie G. O'Connor Jr. wrote:
On 09/20/2012 08:24 AM, jdow wrote:
On 2012/09/20 04:45, Matthew Miller wrote:
On Thu, Sep 20, 2012 at 04:29:47AM -0700, jdow wrote:
That is why I like my unique to the machine key that is supplied to the
user along with the board serial number. So he can make changes. But the
changes for his system cannot affect other systems. That would make
custom signed Linux kernels possible for a person testing kernel builds
or compiling in obscure filesystems, such as I do from time to time.
You will be able to do this -- at least, on x86. Some lobbying on the ARM
front is needed.
It won't be a key that's supplied to the user, though. The user will be able
to add their own.
As long as the key is unique to one single machine the idea is sound
except for the "user too stupid to live" cases.
{^_^}
What is it that will check "uniqueness" of the key?
Over the internet? Check with what/who ?
Nothing. The user would have the option in the BIOS to generate, somehow,
a random number. He's told to type keys on the keyboard, any keys at all,
with the intervals feeding some randomness into the system. Then the key
for signing is presented on the screen for the user to copy down, pen and
paper mode. (Yeah, that is SO centuries ago. But, it's not in electronic
form, yet, so it is quite secure. If the machine makes sure nothing is
plugged in other than keyboard, mouse, and monitor it's not likely to be
siphoned off by monitoring malware.)
{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
