User: Password:
|
|
Subscribe / Log in / New account

It is about the keys, not the blob

It is about the keys, not the blob

Posted Apr 15, 2010 17:17 UTC (Thu) by dlang (subscriber, #313)
In reply to: It is about the keys, not the blob by jarrett.miller
Parent article: Enabling Intel TXT in Fedora

the thing is that without the source for the SINIT blob (and the ability to verify that the binary matches the source), it is very hard to validat that it is as simple as you claim it is.

it may very well be that simple, but if all you have to go by is the decompiled binary, that's not an easy thing to verify.


(Log in to post comments)

It is about the keys, not the blob

Posted Apr 15, 2010 22:53 UTC (Thu) by jarrett.miller (guest, #60765) [Link]

I don't understand. What is it you want to verify about the SINIT module? You either trust it or you do not. I don't know about you but I find it easier to trust the SINIT module than the BIOS image.

Do you demand the source code for the cpu microcode update file? A microcode update is the most similar thing to the SINIT module. It is also distributed in binary only format and its also signed with an Intel owned key. Its purpose is also the same. To provide the required semantics of the ISA. I think its best to think of the SINIT module as a special microcode file required to support the semantics of the GETSEC instruction.

I guess I just don't understand all the hate and fear of TXT and the SINIT module. I mean there are far worse things in the Linux ecosystem. Its not a binary blob deamon like the one required by the 3945 Wifi chipset. Its not a binary only driver that hangs around the entire time the kernel is up. Its important to remember that the SINIT module is designed to terminate. Its not some background thing that spies on people or something. It just executes and it either terminates with an error code related to how the chipset is currently configured or it transfers control to your own code after having made sure the chipset is properly configured.

Imagine if you had to load binary blob microcode file to spawn virtual machine using VT-x. If that was required would Fedora refuse to ship KVM? As far as I am concerned this hypothetical scenario is the same thing as TXT and the SINIT module.

It is about the keys, not the blob

Posted Apr 15, 2010 22:59 UTC (Thu) by nix (subscriber, #2304) [Link]

Do you demand the source code for the cpu microcode update file?
Well, where microcode update files are concerned, I just want a changelog, but Intel don't even give us that.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds