1 |
On Fri, 3 Mar 2017 08:48:30 -0500 Taiidan@×××.com wrote: |
2 |
> Of course, as I stated you have to bootstrap the crypto from the |
3 |
> motherboard EEPROM chip. |
4 |
> >> One way is to use a blob-free coreboot IOMMU supporting board and |
5 |
> >> bootstrap the crypto/kernel off of the board firmware EEPROM chip to |
6 |
> >> load the initial kernel thus no plaintext touches the disk and thus |
7 |
> >> nothing can mess with it. |
8 |
> >> |
9 |
> >> The IOMMU (theoretically) protects the CPU and memory from rogue |
10 |
> >> devices, such as the hard drive. |
11 |
> > No. Any DMA capable device can bypass IOMMU. IOMMU was not |
12 |
> > designed to protect OS from device. |
13 |
> That isn't true, it was designed for exactly that and of course for |
14 |
> assigning devices to VM's. |
15 |
> |
16 |
> I get an AMD-Vi IOMMU IO_PAGE_FAULT alert in dmesg whenever a device |
17 |
> tries to do something it shouldn't and the remapping hardware blocks it. |
18 |
> |
19 |
> In linux the kernel/drivers configure which memory locations the devices |
20 |
> are allowed to access. |
21 |
|
22 |
This can be easily bypassed. See my reply to Rich in this thread. |
23 |
It may protect you from accidental errors, it will not protect you |
24 |
from malicious action. |
25 |
|
26 |
> >> In terms of ethics IBM *for now* is a way better company than Intel/AMD, |
27 |
> >> their POWER servers are owner controlled as there isn't any boot |
28 |
> >> guard/secure boot/management engine/platform "security" processor (amd's |
29 |
> >> ME) to stop you from re-writing the firmware as you please. They also |
30 |
> >> have an getting-there-almost-reasonable open source effort (OpenPOWER) |
31 |
> > Indeed they are. But that boxes are quite expensive and hard to get. |
32 |
> Hard to get? You can buy them from IBM's website like any other computer. |
33 |
> http://www-03.ibm.com/systems/power/hardware/linux-lc.html |
34 |
|
35 |
There is no way to import them into my country now. In a year or |
36 |
two maybe, but not now :/ |
37 |
|
38 |
Best regards, |
39 |
Andrew Savchenko |