On Sat, Nov 28, 2009 at 11:44 PM, <sch...@subverted.org> wrote: > That's a very interesting card, but for different reasons. Since it's > not integrated into the hardware of the system, it too is at the mercy > of whatever the subverted kernel wants it to see. Nothing short of a > hardware-integrated measurement from POST through kernel & initrd is > going to guarantee (for some definition thereof) that there hasn't been > some malicious modification of the process.
Yes, that's true. I just saw the flaw in this scheme. (An attacker would simply replace gpg on the USB drive with one that has the attacker's keys hard-coded, made to completely ignore the smart card, and re-hash/sign everything...) Google's new OS claims to prevent exactly this sort of attack by using "custom" firmware to conduct regular checks: http://www.youtube.com/watch?v=A9WVmNfgjtQ#t=2m24s Apparently, the key used to check the kernel for modification is kept in "read-only" firmware, along with "verifier logic" (hash test cases?). If they're successful, perhaps Gentoo Hardened could adopt these methods. Digressing... Given that we cannot ensure the integrity of our kernel, presumably the attacker cannot ensure theirs either. Short of preventing tampering, the next best thing would be to detect it, and in some cases knowing that data was tampered with is potentially more valuable than the data itself. For example, one could "bait" an "evil maid" attack, and later study the modified kernel, to phone home with a dupe payload, etc... Now that would make a good movie. ; ) -- Mansour Moufid
