For crying out loud - WRITE ENABLE SWITCH!

Posted Jun 16, 2011 10:02 UTC (Thu) by NRArnot (subscriber, #3033)
Parent article: UEFI and "secure boot"

The answer is as old as the hills, it's been used on mechanical devices ever since they got to be capable of amputating fingers. A scabbard for a knife or sword, a safety catch on a firearm, ....

In electronics form, it's the WRITE ENABLE switch, which I first saw on a DEC exchangeable-platter disk drive storing all of 20Mb on 15-inch FeO2-coated platters.

It doesn't have to be a switch, just something that can be done by the owner, given physical access to the hardware, and never by a piece of malicious software (at least, not until the hardware is a robot, in which case we'll have to re-discover what for a human is the small of his back).

Anyway, for a PC motherboard, there should be a SECURE BOOT DISABLE jumper, just as there is a password disable jumper for the better modern BIOSes. For other smart devices, something similar, requiring a simple but nontrivial amount of fiddling with the device.

For manufacturers worried about warranty returns, it might even be a one-way trip - protect the switch or jumper with one of those "warranty void if removed" security labels. Two levels of the same idea.

For crying out loud - WRITE ENABLE SWITCH!

Posted Jun 16, 2011 17:52 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

A lot of TPMs have a requirement for 'physical proof of presence' to do hardware reset. Usually, it requires pressing a certain key on hardware keyboard (with TPM hardwired to hardware keyboard controller).