forum.opennet.ru

Составление сообщения

Исходное сообщение

"Опубликован Canoeboot, вариант дистрибутива Libreboot, отвеч..."
Отправлено Аноним, 01-Ноя-23 11:49

> Using a custom microcontroller with read-only ROM in place of the BIOS
> flash chip could potentially provide some extra protection against bootkit attacks
> for an open source BIOS like Libreboot:
I'll prefer to have upgrade path to be able to fix Libreboot, "just in case". Difference is: its me who would dub as "machine owner" and everyone else would be locked out.
> Since the Libreboot BIOS code is in masked
> ROM, it cannot be overwritten by malware trying to infect the BIOS.
Don't have to be masked ROM: if MCU FW refuses to cooperate, bios upgrade going to fail. Firmware could only agree update on e.g. proof of physical presence. Or some special actions like e.g. specialized key exchange or "master password" auth.
> Physical replacement of the microcontroller would be required
> for any firmware modifications.
That's how or why secure boot concept appeared...
> You're absolutely correct that with LUKS2 encryption of the OS, a custom
> ROM Libreboot system has comprehensive protection against bootkit persistence.
... rest of stuff about LUKS are "implementation details". In the end trusted firmware can check its next parts, its only one of possible ways.

Исходное сообщение
"Опубликован Canoeboot, вариант дистрибутива Libreboot, отвеч..." Отправлено Аноним, 01-Ноя-23 11:49
> Using a custom microcontroller with read-only ROM in place of the BIOS > flash chip could potentially provide some extra protection against bootkit attacks > for an open source BIOS like Libreboot: I'll prefer to have upgrade path to be able to fix Libreboot, "just in case". Difference is: its me who would dub as "machine owner" and everyone else would be locked out. > Since the Libreboot BIOS code is in masked > ROM, it cannot be overwritten by malware trying to infect the BIOS. Don't have to be masked ROM: if MCU FW refuses to cooperate, bios upgrade going to fail. Firmware could only agree update on e.g. proof of physical presence. Or some special actions like e.g. specialized key exchange or "master password" auth. > Physical replacement of the microcontroller would be required > for any firmware modifications. That's how or why secure boot concept appeared... > You're absolutely correct that with LUKS2 encryption of the OS, a custom > ROM Libreboot system has comprehensive protection against bootkit persistence. ... rest of stuff about LUKS are "implementation details". In the end trusted firmware can check its next parts, its only one of possible ways.

Ваше сообщение
Имя*:
EMail:	Для отправки ответов на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру