| 1 |
On Fri, 3 Mar 2017 08:48:30 -0500 Taiidan@×××.com wrote: |
| 2 |
> Of course, as I stated you have to bootstrap the crypto from the |
| 3 |
> motherboard EEPROM chip. |
| 4 |
> >> One way is to use a blob-free coreboot IOMMU supporting board and |
| 5 |
> >> bootstrap the crypto/kernel off of the board firmware EEPROM chip to |
| 6 |
> >> load the initial kernel thus no plaintext touches the disk and thus |
| 7 |
> >> nothing can mess with it. |
| 8 |
> >> |
| 9 |
> >> The IOMMU (theoretically) protects the CPU and memory from rogue |
| 10 |
> >> devices, such as the hard drive. |
| 11 |
> > No. Any DMA capable device can bypass IOMMU. IOMMU was not |
| 12 |
> > designed to protect OS from device. |
| 13 |
> That isn't true, it was designed for exactly that and of course for |
| 14 |
> assigning devices to VM's. |
| 15 |
> |
| 16 |
> I get an AMD-Vi IOMMU IO_PAGE_FAULT alert in dmesg whenever a device |
| 17 |
> tries to do something it shouldn't and the remapping hardware blocks it. |
| 18 |
> |
| 19 |
> In linux the kernel/drivers configure which memory locations the devices |
| 20 |
> are allowed to access. |
| 21 |
|
| 22 |
This can be easily bypassed. See my reply to Rich in this thread. |
| 23 |
It may protect you from accidental errors, it will not protect you |
| 24 |
from malicious action. |
| 25 |
|
| 26 |
> >> In terms of ethics IBM *for now* is a way better company than Intel/AMD, |
| 27 |
> >> their POWER servers are owner controlled as there isn't any boot |
| 28 |
> >> guard/secure boot/management engine/platform "security" processor (amd's |
| 29 |
> >> ME) to stop you from re-writing the firmware as you please. They also |
| 30 |
> >> have an getting-there-almost-reasonable open source effort (OpenPOWER) |
| 31 |
> > Indeed they are. But that boxes are quite expensive and hard to get. |
| 32 |
> Hard to get? You can buy them from IBM's website like any other computer. |
| 33 |
> http://www-03.ibm.com/systems/power/hardware/linux-lc.html |
| 34 |
|
| 35 |
There is no way to import them into my country now. In a year or |
| 36 |
two maybe, but not now :/ |
| 37 |
|
| 38 |
Best regards, |
| 39 |
Andrew Savchenko |
Archives