2009/9/21 Sam Mason <[email protected]>: > On Mon, Sep 21, 2009 at 02:49:46PM +0200, Arne Babenhauserheide wrote: >> Now imagine this as general protection measure for the whole internet. > > The point I was trying to make is that this doesn't work for "the > whole internet". This is for a small, mostly homogeneous, sets of > systems and you want to be sure of what code they're running. These > computers may indeed be connected over the internet and hence be in > different administrative domains. TPM helps to make sure the admins are > honest, but as they have the hardware there's always the chance they > could physically alter the hardware in ways that it doesn't notice. > Non-physical attacks should be prevented though.
Well, this was discussed to death on another list (grub-devel). The admins typically do have physical access, and physical access makes it possible to launch quite a few attacks that are feasible with resources a system administrator would typically posses (spare hardware parts, digital voltmeter). If you really want to protect against that you *need* physical security. And if you do have physical security you have to do the administration yourself anyway so the system need not protect against an administrator. On the other hand, a TPM based verification is enough to lock out an average Joe User out of his computer. In general it gives false sense of security which is worse than useless yet if abused it can cause additional damage. I would avoid that thing altogether. Thanks Michal
