| |||||||||||||
NVIDIA to provide documentation for NouveauNVIDIA to provide documentation for NouveauPosted Sep 25, 2013 16:05 UTC (Wed) by mjg59 (subscriber, #23239)In reply to: NVIDIA to provide documentation for Nouveau by paulj Parent article: NVIDIA to provide documentation for Nouveau
The machine owner should (through a demonstration of physical presence) be able to do whatever they want. Someone who doesn't have physical presence shouldn't be able to modify the booted kernel, even if they have privileged access.
(Log in to post comments)
NVIDIA to provide documentation for Nouveau Posted Sep 25, 2013 23:05 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
this works for personal devices like laptops, but not for servers
NVIDIA to provide documentation for Nouveau Posted Sep 25, 2013 23:07 UTC (Wed) by mjg59 (subscriber, #23239) [Link]
Yes, which is why we have IPMI.
NVIDIA to provide documentation for Nouveau Posted Sep 26, 2013 2:32 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
two things here.
not all systems that are deployed as servers have IMPI
trading a system that requires root access to do thing for a system that puts it's console on the network exposted to attackers (especially where that console is 'secured' by vendor proprietary code) doesn't seem like a win to me.
IPMI Posted Sep 26, 2013 15:06 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
"not all systems that are deployed as servers have IMPI"
Sure, it's totally acceptable to choose no lights out management if you have 24/7 hands-on. The 24/7 hands-on people are physically present and meet that constraint.
The practice of calling a cheap desktop PC in a closet a "server" has plenty of other problems long before you get to remote management.
We have drifted far off topic.
NVIDIA to provide documentation for Nouveau Posted Sep 26, 2013 15:13 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
If you don't deploy using IPMI then you clearly have physical access during initial configuration. And if you've left the IPMI network connected to the rest of your network, you're doing it very, very wrong. But since nobody in the server market seems to be talking about shipping with Secure Boot enabled by default, you can do your key installation in any way you want.
NVIDIA to provide documentation for Nouveau Posted Sep 26, 2013 22:48 UTC (Thu) by jmorris42 (subscriber, #2203) [Link]
> The machine owner should (through a demonstration of physical
> presence) be able to do whatever they want.
Nope. Physical presence does not equal ownership. We circulate laptops as library material. Do they get to do whatever they want? Oh heck no. And if the security tape over the screws is tampered with we fine em to cover our time reauditing the system.
How about a lab computer for library patrons. They are sitting at the console, so they install a new OS? Not on my systems they ain't, at last not without a screwdriver and some way to distract the staff.
NVIDIA to provide documentation for Nouveau Posted Sep 27, 2013 4:43 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
Does physical ownership in your environment equal root? If so, you have other problems. If not, you have nothing to worry about.
|
|||||||||||||