Ok, I'm not going to get too far into this, because I'm no real security expert, but:
On Jan 30, 2008 11:40 AM, Philipp Marek <[EMAIL PROTECTED]> wrote: > > > - Using some operating system unencrypted - boot from a CD. > > > - Protect the boot order - reset the CMOS. > > > - Store important information in the CMOS. > > Neither is this. > No, this should illustrate my thoughts ... so you can tell me *where* I'm > wrong. > > > Coreboot will unconditionally launch its payload, so your interest > should go > > there. > That's ok. It's a "normal" OS that has to be started. > > > Maybe you are also caught up too much in the conventional boot > > process; > That's possible, and that's why I'm asking here! > I don't know that many ways to boot a machine - use ROM; use a BIOS and > another medium; and that's it. > > Is there some easy solution I don't see? > > And just storing everything in ROM is a bit ... costly, and doesn't help > against *getting* the secrets. > Using some cheap substitute like flash memory only moves the problem from > one > location to another ... I think what he was trying to say is that if you give coreboot, say, a FILO payload set up to boot from some medium, with no support for any other medium, then there's no switch you can throw, short of flashing a new bios onto the board. You can do the same thing with a linux kernel, use that to unconditionally kexec to a specific medium, or with large enough flash, you could store the entire kernel in flash. -Corey
-- coreboot mailing list [email protected] http://www.coreboot.org/mailman/listinfo/coreboot
