On Wed, Aug 26, 2009 at 1:51 PM, Michal Suchanek<hramr...@centrum.cz> wrote: > 2009/8/25 Vladimir 'phcoder' Serbinenko <phco...@gmail.com>: >>> However, that CVE is about grub leaving its passwords in memory. >>> Wiping memory used by grub should be fast - orders of magnitude faster >>> than loading the OS kernel for example. >> Actually this specific report is about BIOS leaving its keyboard >> buffer - you can find BIOS password there too. As BIOS is proprietary >> firmware whatever we do we can never ensure it being secure. Even the > > Even if many BIOSes leave their password there it's not reason to be as > sloppy. > Let me clarify my position: 1) If someone submits a patch with clean (E.g. shredding grub_free, ensure there is no memory leak and a shredder for BIOS buffer) then I would recomment to merge this patch 2) This is a considerable amount of work and not a priority. 3) It's not a reason to hold the release > I am not particularly concerned about this issue but the BIOS > typically requires a reboot after typing the password so if it is > half-decently implemented it clears the buffer during initialization. > If it does not it's not grub's concern, it should do its part by > clearing its own sensitive data (if any). Actually what was described in original link is exactly BIOS leaving data behind > > Thanks > > Michal > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > http://lists.gnu.org/mailman/listinfo/grub-devel >
-- Regards Vladimir 'phcoder' Serbinenko Personal git repository: http://repo.or.cz/w/grub2/phcoder.git _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
