On Mon, 2008-03-10 at 18:18 -0500, Brian Cameron wrote:
> I am not sure how to meet this requirement. Hopefully the people from
> the security team can help provide some idea of how to accomplish this.
On the input side the traditional mechanism is a "secure attention key"
-- some key or set of keys on the keyboard which if pressed at any time,
gets the attention of the trusted path and which cannot be intercepted
by anything outside the trusted path.
Windows apparently uses control-alt-delete for this now.
Linux does something with the SysRq key.
One possible action for a secure attention key would be to hide all
windows which aren't part of the trusted path.
On the output side you need to steal some part of the display -- either
some part of the trusted path needs to get involved in window manager
decorations (which is what TX does now, IIRC) and/or what Nico suggested
with respect to losing some number of pixel on the screen to the trusted
path indicator at all times.
I suspect this may be unpopular so we may need to have this be a
configurable mode of operation.
How this interacts with virtualization will be interesting (if you have
a window on your screen which is a virtual display of a virtual machine,
what out-of-band mechanism do you use to send *it* a secure attention
key?)
- Bill
