Alan wrote: > Don't see how your HPA code protects versus password locking however. If > I hack the OS I write a new boot block which locks the disk then reboot > into it. By the time you go for your floppy its too late. > If thats not the case I'm most interested how you set it up to avoid this. I was a bit too quick to answer this one yesterday. Basically, you want to protect against an attack replacing the bootloader, whatever happens later is bad anyway. The only way to get that is if the bootloader cannot be overwritten, preferably even by root, at the time of the attack. You have to know that whatever put Gujin in memory is independant of how it will probe the disks, partitions and files. The simple solution is: you never boot from the hard disk, but from a physically write protected device (write protected floppy, non writeable CD or CDRW in a non writing CDROM drive, USB thumb drive with a physical write protect switch). It may be interresting to be able to enable writing to the boot device at setup (for instance to select a kernel to "autoboot" after few seconds or set up the keyboard language and the default kernel command line), Gujin can itself save few data in its second 512 bytes sector if write is enabled, but that is not 100 % needed because the installer "instboot" can set all those parameter in file "boot.bcd" for CDROM install. Note that, if you are using a "write once" CDROM, you should take care of not enabling an attacker to add a session with a new El-torito boot sector. The complex solution is described in the ATA standard T13 D1367, Protect Area Run Time Interface Extension Services, skip to "4 Overview", and depends on the hard drive supporting the "Address Offset Reserved Area Boot", only IBM drives seem to have such a support. Basically, at boot, the LBA is offseted by a constant and you boot this "minidisk" with its own MBR. You can then send a command to the HD to stop this offset, and protect your "minidisk" by the HPA or by reducing the visible size of the disk (latter hurts the BIOS). The real MBR is never executed, the executed MBR is write protected even by root at the time of the attack, and if you boot with a DOS floppy you will see a small hard disk with the really used MBR. Gujin is designed to produce a complete disk mapping with FAT12/16 filesystem (no partition like a floppy) to be able to handle such a boot, but I did not finish to support it, mainly because the only IBM drive I have is my main one, and because my hobby time is limited (I am not working in the PC industry). It should not be difficult to support that completely, the details are how to upgrade Gujin, how to behave with non booted but present disks... If you are using one of these two solutions, an attacker will have to take control of the system before Gujin is executed - so the only attack is either the main BIOS FLASH (check that you have a jumper to write protect it physically) and other PCI/AGP BIOS (video BIOS, network BIOS) which may be present on FLASH and may be overwritten. Modifying the firmware of the HD may be another attack path. All this remember me the software write protection of 5 1/4 inch floppy... Also, never try to test IDE passwords at 2:00 in the morning, even for a quick test, you may type a random password and get a 160GB brick. Someone knows the master password of Maxtor 4G160J8 code GAK819K0 drive S/N G80CNBME FG08A - I promise not to repeat it! Cheers, Etienne. __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail - : send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
