On Jul 10, 2007, at 5:54 PM, C. Scott Ananian wrote:
Unless we're actually going to do a full cryptographic authentication
of the entire FS image at every boot, the kernel checking is just
security theater.
I missed this message when originally following the thread. This is
incorrect.
On Jul 14, 2007, at 9:07 AM, C. Scott Ananian wrote:
This seems to imply a much beefier initramfs than is currently the
case, and one that is invoked on every boot.
It can be done without beefing up the initramfs much, but you have a
good point about it requiring one for every boot. Let me
More benchmarks for bios_crypto on LX:
Whirlpool: 1.16 sec / MiB
SHA512: 0.42 sec / MiB
SHA256: 0.28 sec / MiB --- New result (SHA256 is 1.5x the speed
of SHA512)
RSA verification: 0.025 sec / hash
ECC521 verification: 1.13 sec / hash
ECC256 verification: 0.31 sec / hash --- New
On 7/10/07, Mitch Bradley [EMAIL PROTECTED] wrote:
Decompression is fast, but the signature verification is not so fast,
especially since there are several different algorithms.
Can't we just SHA1 the kernel+initrd bundle and sign the hash? SHA1
should be fast enough...
--scott
--
On Jul 10, 2007, at 8:46 AM, C. Scott Ananian wrote:
Can't we just SHA1 the kernel+initrd bundle and sign the hash? SHA1
should be fast enough...
The hashes we have available in OFW through the LTC code are
Whirlpool and SHA-512. It's non-trivial to amend the list at this
time. The current
On 7/9/07, Mitch Bradley [EMAIL PROTECTED] wrote:
I looked at those git trees and didn't see the python runtime stuff in
the initramfs tree. How does it get included, and how big is it?
Packages in initramfs are specified by:
C. Scott Ananian wrote:
On 7/9/07, Mitch Bradley [EMAIL PROTECTED] wrote:
I looked at those git trees and didn't see the python runtime stuff in
the initramfs tree. How does it get included, and how big is it?
Packages in initramfs are specified by:
C. Scott Ananian wrote:
On 7/9/07, Mitch Bradley [EMAIL PROTECTED] wrote:
At that 3M size, I'm beginning to have second thoughts about the one
initrd for both activation and normal booting idea. A busybox
(statically linked with uclibc) with enough trimmings to do darn near
anything