[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Broken dream of mine :(

From: Sam Mason
Subject: Re: Broken dream of mine :(
Date: Tue, 22 Sep 2009 15:50:03 +0100
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Sep 22, 2009 at 12:09:44PM +0200, Michal Suchanek wrote:
> 2009/9/22 Sam Mason <address@hidden>:
> > On Tue, Sep 22, 2009 at 12:42:17AM +0200, Michal Suchanek wrote:
> >> But it will break your system.
> >
> > No it effing will not and stop being so silly.  You choose whether your
> > computer is going to run an OS that's going to surrender its authority
> > to somebody else.  If not then anything we do won't matter anyway.
> I don't get the first sentence of the above paragraph. However, it
> seems you are getting the wrong impression here.

Yes, I mis-understood you.  I thought you mean that you meant that any
introduction of TPM (independent of the OS you're using) will "break your

> The TPM chip will not
> break your system because you use it to lock yourself out. In that
> case you break your system.

But that's the whole point; I *want* to lock myself out of the system.
If somebody breaks in and installs some malicious code then I want it to
break in the most obvious way possible.  The admin then reinstalls the
system and only when everything has been brought back to normal will the
system will be allowed back into the network.

> However, if you rely on TPM for security and the module is in fact
> broken you lose any security and can throw away your system. If you
> rely on simple hardware measures (like flash write protection) and
> write the rest in software then it's more likely that if anything
> breaks it's the software and you can replace that. You can also verify
> that a write protected flash is really write protected. Good luck with
> testing a TPM really adheres to specification under all possible
> conditions.

Well, the converse is that you'd also have to verify "under all
possible conditions" that a readonly flash is really readonly.  Quite a
lot of motherboards these days will revert to a second copy of the bios
and this could start breaking things.  Booting from the network is quite
often set in the network card itself and this would be independent of
the readonly state of the bios itself.  To be in this level of detail
though we really need to be talking about specific bits of hardware and
much more domain specific applications.

It's far enough of topic already!

  Sam  http://samason.me.uk/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]