Hello, Daniel!
> > GNU GRUB, as it is released by FSF, should not (IMHO) ship with
> > potential security holes,
>
> Can you identify the specific security holes you fear will be exposed by
> the addition of encrypted image support to GRUB? I fully intend to
> document the feature, including the warnings that simply having
> encryption does not magically make it a 'secure' system...
Even after documenting this feature remains confusing. Since you need this
feature you probably know what it is for, but I'm afraid that many other
people will consider this as useless bloat.
I haven't read the documentation you are going to write, but it is very
important to explain possible dangers. Possible scenario:
There are two images: A and B. They are encrypted with the same key, since
GRUB doesn't send the key, so the encrypted images (Ac and Bc) will always
be accepted by GRUB.
A "black hat" knows that "Ac" is transmitted when the system is being
serviced (i.e. there is somebody at the console). At some point the
compromized system detects a request from GRUB and sends Ac before the
valid system sends Bc. After that the "black hat" goes to that machine and
gets Coke for free :-)
> > kerberos and OpenGL support :-)
>
> These are probably not needed, though. ;)
Nice to see that you agree with me on this point.
Pavel
