[prev in list] [next in list] [prev in thread] [next in thread] 

List:       eros-arch
Subject:    Re: [EROS-Arch] Re: [E-Lang] Re: Interaction Design for  End-User  Security
From:       "Jonathan S. Shapiro" <shap () eros-os ! org>
Date:       2001-04-01 17:52:25
[Download RAW message or body]

Actually, Bill Arbaugh has done some work on secure bootstrap right from the
BIOS. Do a web search for "Arbaugh AEGIS" and you'll find it.

It is feasible (indeed, straightforward) to build a BIOS that won't boot *at
all* unless a validated iButton is present. Similarly, it won't consent to
reflash. Short of physically desoldering the BIOS, a floppy won't help.

By the way, the secure bootstrap also validates the devices that are
attached. It can be subverted only by devices that themselves lack BIOS
chips or identifiable hardware characteristics. What this boils down to is
that you need a custom-made card with access to main memory to subvert such
a machine.

Note that if an iButton is initially required, the contents of the disk can
themselves be encrypted in such a way that the data is unrecoverable without
the iButton. Conceptually: the BIOS contains a list of valid iButtons and
also a copy of the disk key encrypted by each valid iButton.

The list of valid iButtons is mildly tough, because you don't want these
keys scannable in the clear from the ROM. The solution is to have a known
block of the ROM that is encrypted for each iButton and is trailed by it's
SHA hash (also encrypted). The BIOS boots up and simply attempts the decrypt
for each region using the iButton provided. If it generates a valid decrypt,
the boot continues.

Jonathan

_______________________________________________
eros-arch mailing list
eros-arch@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/eros-arch

[prev in list] [next in list] [prev in thread] [next in thread]