--- crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68
On Wed, Aug 24, 2016 at 10:31 AM, Albert ARIBAUD <[email protected]> wrote: > Bonjour, > > Le Tue, 23 Aug 2016 19:50:30 +0200 > Henrik Nordström <[email protected]> a écrit: >> What the A20 is missing from a security perspective is secure boot >> procedure. There is some primitive support but not really functioning. >> Some of you may think I am crazy speaking about secure boot, but >> properly used it is a very strong tool for ensuring that the installed >> software is not tampered with by untrusted parties. But this requires >> that you are in control of the security keys and not some untrusted >> proprietary vendor. > > Agreed that secure boot is a tool which can be used for good as well as > bad. My personal opinion is that I'm fine with secure boot as long as > there is a way back -- i.e. a way to revert the whole thing to a "blank" > state where, yes, whatever keys were inside are erased so encrypted > data that was on the device may be lost (except possibly to sufficient > crypto-analysis resources), but the device can always be "refitted" with > new keys for new data. ... and that's where things like the TI SoCs and the Samsung Exynos SoCs fall down. you simply *cannot* undo a blown e-fuse: that's the whole point. which is why if you were to ship a processor that *didn't* have its "secure e-fuse" blown, you're actually selling people a ticking time-bomb where the possibility exists for someone to hack in to your computer, install some spyware at the bootloader level, blow the e-fuse and then you're *really* screwed. a whole new ransomware vector at the *hardware* level. dang. which is why i contacted TI to ask them if there was a way to blow the e-fuses so that DRM could ****NEVER**** be enabled. they were incredibly surprised: i was literally the first person ever to ask them. oh... the answer was "no". l. _______________________________________________ arm-netbook mailing list [email protected] http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to [email protected]
