Gentoo Archives: gentoo-user

From: Andrew Savchenko <bircoph@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] SHA-1 has just been broken
Date: Mon, 06 Mar 2017 20:03:19
Message-Id: 20170306230302.6ce33aa39a659af253665dcb@gentoo.org
In Reply to: Re: [gentoo-user] SHA-1 has just been broken by "Taiidan@gmx.com"
1 On Fri, 3 Mar 2017 08:48:30 -0500 Taiidan@×××.com wrote:
2 > Of course, as I stated you have to bootstrap the crypto from the
3 > motherboard EEPROM chip.
4 > >> One way is to use a blob-free coreboot IOMMU supporting board and
5 > >> bootstrap the crypto/kernel off of the board firmware EEPROM chip to
6 > >> load the initial kernel thus no plaintext touches the disk and thus
7 > >> nothing can mess with it.
8 > >>
9 > >> The IOMMU (theoretically) protects the CPU and memory from rogue
10 > >> devices, such as the hard drive.
11 > > No. Any DMA capable device can bypass IOMMU. IOMMU was not
12 > > designed to protect OS from device.
13 > That isn't true, it was designed for exactly that and of course for
14 > assigning devices to VM's.
15 >
16 > I get an AMD-Vi IOMMU IO_PAGE_FAULT alert in dmesg whenever a device
17 > tries to do something it shouldn't and the remapping hardware blocks it.
18 >
19 > In linux the kernel/drivers configure which memory locations the devices
20 > are allowed to access.
21
22 This can be easily bypassed. See my reply to Rich in this thread.
23 It may protect you from accidental errors, it will not protect you
24 from malicious action.
25
26 > >> In terms of ethics IBM *for now* is a way better company than Intel/AMD,
27 > >> their POWER servers are owner controlled as there isn't any boot
28 > >> guard/secure boot/management engine/platform "security" processor (amd's
29 > >> ME) to stop you from re-writing the firmware as you please. They also
30 > >> have an getting-there-almost-reasonable open source effort (OpenPOWER)
31 > > Indeed they are. But that boxes are quite expensive and hard to get.
32 > Hard to get? You can buy them from IBM's website like any other computer.
33 > http://www-03.ibm.com/systems/power/hardware/linux-lc.html
34
35 There is no way to import them into my country now. In a year or
36 two maybe, but not now :/
37
38 Best regards,
39 Andrew Savchenko