LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora reexamines "trusted boot"

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 14:32 UTC (Fri) by geofft (subscriber, #59789)
In reply to: Fedora reexamines "trusted boot" by alonz
Parent article: Fedora reexamines "trusted boot"

I'd like to know more about why you say it's ineffective as a security measure?

I'm thinking (only thinking, no real plans) about deploying it in a large academic environment, where we're able to take kernel updates all the time and in fact have auto-updates, and the local machines are also stateless so we can reinstall them at any time. Trusted boot would let us know whether or not the system was booted normally or e.g. from a CD or in single-user mode, and whether the disk had been tampered with since last time it was trusted-booted. We're fine assuming that we take updates often enough to avoid rootkits (and in fact we have no network login on these machines), and that in case we suspect something we just want to trigger a remote reinstall.

Will trusted boot and remote attestation not work here?

Note that we have no desire to prevent people from rebooting terminals into a live CD. We just want them not to mess with the hard disk when doing so, and we want to know if they _left_ it booted into a live CD.

(Log in to post comments)

Fedora reexamines "trusted boot"

Posted Jul 1, 2011 15:01 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There have been various flaws in Intel chipsets that allow attacks, the most entertaining being an exploit in the BIOS flasher code that would allow you to flash unsigned BIOS images and replace the sinit. I don't believe there are any <em>known</em> flaws in current systems, but http://theinvisiblethings.blogspot.com/search/label/trust... discusses some of the ones that have been found.

So I don't think there's any direct evidence that it's ineffective, merely that history suggests that anything that's never been seriously attacked and which has a track record of holes tends to have more holes that haven't been found yet...

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:04 UTC (Sun) by alonz (subscriber, #815) [Link]

OK, I'll qualify my statements above a bit:
Trusted Boot has been shown to be ineffective as a general security measure for open environments.

If your system is managed centrally, and does not permit execution of locally-introduced code, you're likely OK. Also, if the only purpose of your trusted boot solution is access control to centrally-managed systems, your risk is at least controllable.

The issue with trusted boot is that it's often presented as a “magic bullet”—e.g., claiming that trusted boot (from a local disk!) is an effective countermeasure against rootkits.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds