Re: CONFIG_INTEL_TXT
On Fri, 2009-10-23 at 13:51 -0400, Eric Paris wrote: > No, Arjan is right. Jon is talking about wildly unrelated system attack > vectors which are in no way related to TXT or to the binary blob. I made a joke about paranoid ranting on LKML and missed off a smiley face...sorry! :) :) :) There are bigger things to worry about than someone taking the RAM chips out of my system while it's suspended. Jon. ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
On Fri, 2009-10-23 at 18:34 +0100, Christopher Brown wrote: > 2009/10/23 Arjan van de Ven : > > On Thu, 22 Oct 2009 18:39:53 +0100 > > Jon Masters wrote: > > > >> Don't forget to mention the more paranoid hand-waving about removing > >> RAM chips at runtime with liquid nitrogen after going into suspend and > >> hax0ring. I think there will be more upstream discussion anyway. > > > > I'm sorry but this argument makes no sense whatsoever. > > > > Claiming that a feature should not be enabled because someone is talking > > about a mythical attack that is waaay outside the scope of what a > > technology wants to protect is not solid reasoning, it's fear mongering > > instead. > > All the same, it was disappointing news to me to read that Intel are > even pushing stuff that leverages binary blobs with no source code. > There would be nothing to fear and no need for fear mongering if it > was an open blob. It would make the whole argument moot. No, Arjan is right. Jon is talking about wildly unrelated system attack vectors which are in no way related to TXT or to the binary blob. Jon was out of line seemingly trying to scare people away from this technology for wholly illogical reasons. It's like we're talking about putting a lock on the window and Jon's talking about cutting through the walls. It's just not useful. Open or closed blob is irrelevant and does not influence the situation to his fear mongering line of attack. Please, however, continue to be disappointed that Intel is pushing a closed source blob. That is a productive train of thought :) -Eric ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
2009/10/23 Arjan van de Ven : > On Thu, 22 Oct 2009 18:39:53 +0100 > Jon Masters wrote: > >> Don't forget to mention the more paranoid hand-waving about removing >> RAM chips at runtime with liquid nitrogen after going into suspend and >> hax0ring. I think there will be more upstream discussion anyway. > > I'm sorry but this argument makes no sense whatsoever. > > Claiming that a feature should not be enabled because someone is talking > about a mythical attack that is waaay outside the scope of what a > technology wants to protect is not solid reasoning, it's fear mongering > instead. All the same, it was disappointing news to me to read that Intel are even pushing stuff that leverages binary blobs with no source code. There would be nothing to fear and no need for fear mongering if it was an open blob. It would make the whole argument moot. -- Christopher Brown ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
On Fri, 2009-10-23 at 08:20 -0700, Arjan van de Ven wrote: > On Thu, 22 Oct 2009 18:39:53 +0100 > Jon Masters wrote: > > > Don't forget to mention the more paranoid hand-waving about removing > > RAM chips at runtime with liquid nitrogen after going into suspend and > > hax0ring. I think there will be more upstream discussion anyway. > > I'm sorry but this argument makes no sense whatsoever. Smiley face missed off there - I wasn't being serious about the attacking of TXT. At the end of the day, if you've got physical access to a system, there are worse things you can do. Jon. ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
On Thu, 22 Oct 2009 18:39:53 +0100 Jon Masters wrote: > Don't forget to mention the more paranoid hand-waving about removing > RAM chips at runtime with liquid nitrogen after going into suspend and > hax0ring. I think there will be more upstream discussion anyway. I'm sorry but this argument makes no sense whatsoever. Claiming that a feature should not be enabled because someone is talking about a mythical attack that is waaay outside the scope of what a technology wants to protect is not solid reasoning, it's fear mongering instead. -- Arjan van de VenIntel Open Source Technology Centre For development, discussion and tips for power savings, visit http://www.lesswatts.org ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
On Thu, 2009-10-22 at 13:24 -0400, Eric Paris wrote: > On Thu, 2009-10-22 at 11:33 -0400, Stephen Smalley wrote: > > Would it be possible to get CONFIG_INTEL_TXT enabled in the Fedora > > kernel x86 and x86_64 configs going forward? > > After some discussion with a couple of people on the Fedora kernel team > on IRC they decided that we should not enable CONFIG_INTEL_TXT until it > is useful for something other than a closed source binary blob which > Fedora is unable to distribute. We have messaged that Fedora was unable > to include the binary blob from Intel and it has been suggested that > they create an open module rather than forcing Linux users to trust some > part of their system security to an unknown binary blob. Hopefully you > can add your weight to that discussion and help intel see the need for > an open source blob. Don't forget to mention the more paranoid hand-waving about removing RAM chips at runtime with liquid nitrogen after going into suspend and hax0ring. I think there will be more upstream discussion anyway. Jon. ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
Re: CONFIG_INTEL_TXT
On Thu, 2009-10-22 at 11:33 -0400, Stephen Smalley wrote: > Would it be possible to get CONFIG_INTEL_TXT enabled in the Fedora > kernel x86 and x86_64 configs going forward? After some discussion with a couple of people on the Fedora kernel team on IRC they decided that we should not enable CONFIG_INTEL_TXT until it is useful for something other than a closed source binary blob which Fedora is unable to distribute. We have messaged that Fedora was unable to include the binary blob from Intel and it has been suggested that they create an open module rather than forcing Linux users to trust some part of their system security to an unknown binary blob. Hopefully you can add your weight to that discussion and help intel see the need for an open source blob. -Eric ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
CONFIG_INTEL_TXT
Would it be possible to get CONFIG_INTEL_TXT enabled in the Fedora kernel x86 and x86_64 configs going forward? Thanks. -- Stephen Smalley National Security Agency ___ Fedora-kernel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-kernel-list
