On Thu, May 31, 2012 at 12:42 PM, Gerry Reno <gr...@verizon.net> wrote: > On 05/31/2012 01:34 PM, Jon Ciesla wrote: >> On Thu, May 31, 2012 at 12:22 PM, Gerry Reno <gr...@verizon.net> wrote: >>> On 05/31/2012 01:19 PM, Jon Ciesla wrote: >>>> On Thu, May 31, 2012 at 12:16 PM, Gerry Reno <gr...@verizon.net> wrote: >>>>> On 05/31/2012 01:10 PM, Gregory Maxwell wrote: >>>>>> On Thu, May 31, 2012 at 1:07 PM, Gerry Reno <gr...@verizon.net> wrote: >>>>>>> Could be any of a thousand ways to implement this. >>>>>>> Maybe it checks the BIOS to determine whether some SecureBoot flag is >>>>>>> set. >>>>>> While it pains me to argue with someone on my side— you're incorrect. >>>>>> The compromised system would just intercept and emulate or patch out >>>>>> that test. >>>>> Then what's missing here is a way for booted OS's to test themselves for >>>>> integrity. >>>> Maybe some sort of cryptographic signature stored in the hardware? >>>> >>>> <ducks> >>>> >>>> -J >>>> >>>> </sarcasm> >>>> >>> Just not dictated by one monopoly. >> Ideally, no. But you see the problem. I'm divided on the solution >> myself, but I've yet to see one I feel better about. >> >> -J >> >> > > This game of cat and mouse with the blackhats is not going to end until we > have some type of read-only partitions where > known good code resides.
We have that, ISO9660. Known good == known good to whom? -J > And the user must hit a hardware button to enable read-write to change > anything there. > > We just keep pushing these blackhats to different layers. Next they'll be > flashing our BIOSes and eliminating all > protections SecureBoot and otherwise. > > . > > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel -- http://cecinestpasunefromage.wordpress.com/ ------------------------------------------------ in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel