BTW some BIOSes have an option "boot virus protection" which checks the
mbr and doesn't need tpm. Then password-protecting BIOS and storing key
in flash and cutting write wire will achieve greater security that tpm
Regards
Vladimir 'phcoder' Serbinenko
I consider the way how memory is protected or how integrity of mbr is
ensured out of scope of grub2. It simply can do nothing against it. So
my goals is just making verfication chain secure. Then I hope that
someone more knowledge in chipsets will find a way to build a secure
system on the top
I agree that these measures aren't here to protect against serious
cryptanalyst. Actually there is a way which is even in my reach to crack
it. I would buy:
pci firewire card $10
Then I would download firewire debug tools and put pci card into target
computer then wait that it boots and dump th
>>> If not, who checks the MBR?
>> This can't be done by grub because it happens before any part of grub is
>> loaded. to verify grub you need to rely on vendor/platform-specific
>> mechanisms.
>> I personally find "tpm without tpm" more attractive because it can be
>> easily reused on another plat
T>his paranoid security talk is growing some big pink elephants which are
>being conveniently ignored: you people are trying to protect a HD within
>a computer that could be stolen, but you trust that the BIOS chip (in
>ROM and whatever you want), which performs the systems initialization
>(includi
El vie, 20-02-2009 a las 20:02 -0500, Isaac Dupree escribió:
> Jan Alsenz wrote:
> > Yes, that was my point. You need a trusted first step.
> > But the only thing besides a TPM, that can be used for this is the BIOS,
> > which can be flashed.
> > And even, if we assume, that we can construct a BIOS
Jan Alsenz wrote:
> Yes, that was my point. You need a trusted first step.
> But the only thing besides a TPM, that can be used for this is the BIOS,
> which can be flashed.
> And even, if we assume, that we can construct a BIOS that only boots if the
> MBR hash matches and can not be flashed prior
phcoder wrote:
>> It's not complete SHA-1, but the rest should be just a constant offset.
> I already said how it differs from standard one. If you feed padded
> byteswapped data to it and then byteswap the rsult back you obtain
> exactly normal SHA-1. But as I said if size is fixed it's compeletel
Hello
Jan Alsenz wrote:
Hi!
Wow, cool work!
Thanks
It's not complete SHA-1, but the rest should be just a constant offset.
I already said how it differs from standard one. If you feed padded
byteswapped data to it and then byteswap the rsult back you obtain
exactly normal SHA-1. But as I sai
Hi!
Wow, cool work!
It's not complete SHA-1, but the rest should be just a constant offset.
But I'm still not sure, what you are trying to do here, is the MBR your root of
trust?
If not, who checks the MBR?
Greets,
Jan
phcoder wrote:
> Hello, as promised I wrote an mbr which performs SHA-1. T
Hello, as promised I wrote an mbr which performs SHA-1. To squeeze the
code I had to remove chs and to change the bootdrive installer will have
to overwrite corresponding instruction. SHA-1 implemented in it is
little-endian and without padding. Standard version is big-endian and
with padding.
11 matches
Mail list logo
