Re: Trusted Boot in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 27, 2011 at 12:11 PM, Andrew Haley <aph@xxxxxxxxxx> wrote:
> On 24/06/11 20:49, Miloslav Trmač wrote:
>> On Fri, Jun 24, 2011 at 12:49 PM, Andrew Haley <aph@xxxxxxxxxx> wrote:
>>> What I don't understand is why this feature requires a binary blob.
>>> Surely whatever northbridge code is required can be free software,
>>> Is this just security through obscurity?
>>
>> The purpose of the blob is to "measure" the system state; only the
>> blob (and hardware reset) is allowed to restart the "measuring"
>> process in the TPM.  For this to work securely, the blob must be
>> signed by someone that the TPM itself trusts - otherwise an attacker
>> could replace the blob by something that lies about the system state.
<snip>
> What we're saying, then, is that the TPM doesn't trust the owner of
> the computer, but its manufacturer.  It's impossible for a user to
> decide who they trust.

First, the TPM (nor the CPU) really can't tell the difference between
the owner of the computer and an author of a virus.  It's all just
software.

Second, every owner of a computer has to completely trust the
manufacturer of the computer anyway - there are way too many ways the
manufacturer can break the security of the system, e.g. backdoors in
the CPU or motherboard, or hidden configurations of
https://secure.wikimedia.org/wikipedia/en/wiki/Intel_AMT .

Placing trust in the manufacturer of the hardware puts the user in no
worse position than they were before.  And the user, of course, still
has full control over whether to use the TPM or not, and what to use
it for.
    Mirek
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux