On Thu, May 31, 2012 at 12:52 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: > On 05/31/2012 01:48 PM, Jon Ciesla wrote: >> On Thu, May 31, 2012 at 12:42 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>> On 05/31/2012 01:34 PM, Jon Ciesla wrote: >>>> On Thu, May 31, 2012 at 12:22 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>>>> On 05/31/2012 01:19 PM, Jon Ciesla wrote: >>>>>> On Thu, May 31, 2012 at 12:16 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>>>>>> On 05/31/2012 01:10 PM, Gregory Maxwell wrote: >>>>>>>> On Thu, May 31, 2012 at 1:07 PM, Gerry Reno <greno@xxxxxxxxxxx> wrote: >>>>>>>>> Could be any of a thousand ways to implement this. >>>>>>>>> Maybe it checks the BIOS to determine whether some SecureBoot flag is set. >>>>>>>> While it pains me to argue with someone on my side— you're incorrect. >>>>>>>> The compromised system would just intercept and emulate or patch out that test. >>>>>>> Then what's missing here is a way for booted OS's to test themselves for integrity. >>>>>> Maybe some sort of cryptographic signature stored in the hardware? >>>>>> >>>>>> <ducks> >>>>>> >>>>>> -J >>>>>> >>>>>> </sarcasm> >>>>>> >>>>> Just not dictated by one monopoly. >>>> Ideally, no. But you see the problem. I'm divided on the solution >>>> myself, but I've yet to see one I feel better about. >>>> >>>> -J >>>> >>>> >>> This game of cat and mouse with the blackhats is not going to end until we have some type of read-only partitions where >>> known good code resides. >> We have that, ISO9660. Known good == known good to whom? >> >> > Nah, can't be iso. > > Has to be HDD partitions whose ro/rw state is controlled by hardware. Which brings us back to the issue of how the hardware knows what to trust for that ro/rw state. -J > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- http://cecinestpasunefromage.wordpress.com/ ------------------------------------------------ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
