On Mon, Sep 21, 2009 at 04:00:58PM +0200, Michal Suchanek wrote: > 2009/9/21 Sam Mason <[email protected]>: > > The point I was trying to make is that this doesn't work for "the > > whole internet". > > Well, this was discussed to death on another list (grub-devel).
Any pointers? I found a couple of discussions, but they didn't look very interesting. > The > admins typically do have physical access, and physical access makes it > possible to launch quite a few attacks that are feasible with > resources a system administrator would typically posses (spare > hardware parts, digital voltmeter). Yup, I wasn't trying to protect against the admin. Just noting that it will help to tell them when things are getting out of date. > If you really want to protect against that you *need* physical > security. And if you do have physical security you have to do the > administration yourself anyway so the system need not protect against > an administrator. But you can't be sure that a remote attacker hasn't put a rootkit in somewhere. AFAIU, TPM should allow you to detect this. > On the other hand, a TPM based verification is enough to lock out an > average Joe User out of his computer. I'd agree, I'm struggling to think of any use cases outside of high assurance that would want anything to do with TPM. But why does it matter, in the above case the machine would just go into a loop when logging into the network and the admin would realize and intervene at some point and reimage the machine. The normal user wouldn't be trying to log into a network that cared and hence wouldn't be any the wiser that anything was amiss. I personally think that the media's perverted use of TPM has colored most peoples' viewpoint of it. There was a lot of good research that went into it and it seems like a waste to throw it all away just because the use that people initially heard about is particularly horrible. -- Sam http://samason.me.uk/
