On Thu, May 31, 2012 at 12:42 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: > On 05/31/2012 01:34 PM, Jon Ciesla wrote: >> On Thu, May 31, 2012 at 12:22 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>> On 05/31/2012 01:19 PM, Jon Ciesla wrote: >>>> On Thu, May 31, 2012 at 12:16 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>>>> On 05/31/2012 01:10 PM, Gregory Maxwell wrote: >>>>>> On Thu, May 31, 2012 at 1:07 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>>>>>> Could be any of a thousand ways to implement this. >>>>>>> Maybe it checks the BIOS to determine whether some SecureBoot flag is set. >>>>>> While it pains me to argue with someone on my side— you're incorrect. >>>>>> The compromised system would just intercept and emulate or patch out that test. >>>>> Then what's missing here is a way for booted OS's to test themselves for integrity. >>>> Maybe some sort of cryptographic signature stored in the hardware? >>>> >>>> <ducks> >>>> >>>> -J >>>> >>>> </sarcasm> >>>> >>> Just not dictated by one monopoly. >> Ideally, no. But you see the problem. I'm divided on the solution >> myself, but I've yet to see one I feel better about. >> >> -J >> >> > > This game of cat and mouse with the blackhats is not going to end until we have some type of read-only partitions where > known good code resides. We have that, ISO9660. Known good == known good to whom? -J > And the user must hit a hardware button to enable read-write to change anything there. > > We just keep pushing these blackhats to different layers. Next they'll be flashing our BIOSes and eliminating all > protections SecureBoot and otherwise. > > . > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- http://cecinestpasunefromage.wordpress.com/ ------------------------------------------------ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
