On Thu, 2 Mar 2017 03:42:24 -0500 taii...@gmx.com wrote: > It is possible to have a reasonably secure system where the hard drive > firmware (or any other devices) can't fuck around with the stuff on > disk, although I highly doubt that the gentoo infrastructure (and > kernel.org, and all the source repos for all the other software) does this
Hard drive's firmware is a drive's micro OS, it can manipulate data on the disk as it pleases. The only way to protect privacy of the data is to write it already encrypted, so it still can be mangled and become unusable, but privacy will be kept. But see below about DMA. > One way is to use a blob-free coreboot IOMMU supporting board and > bootstrap the crypto/kernel off of the board firmware EEPROM chip to > load the initial kernel thus no plaintext touches the disk and thus > nothing can mess with it. > > The IOMMU (theoretically) protects the CPU and memory from rogue > devices, such as the hard drive. No. Any DMA capable device can bypass IOMMU. IOMMU was not designed to protect OS from device. > In terms of ethics IBM *for now* is a way better company than Intel/AMD, > their POWER servers are owner controlled as there isn't any boot > guard/secure boot/management engine/platform "security" processor (amd's > ME) to stop you from re-writing the firmware as you please. They also > have an getting-there-almost-reasonable open source effort (OpenPOWER) Indeed they are. But that boxes are quite expensive and hard to get. Best regards, Andrew Savchenko
pgpwYnzvVK92P.pgp
Description: PGP signature
