<br><br><div class="gmail_quote">2008/5/29 <<a href="mailto:david@lang.hm">david@lang.hm</a>>:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Thu, 29 May 2008, Jameson "Chema" Quinn wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I just had an IRC conversation with Benjamin Schwarz in which we talked<br>
about:<br>
<br>
He said that 3,4, and 5 have been considered more serious than 1 and 2;<br>
since they are impossible, there is little point doing 1 and 2. I disagreed.<br>
<br>
There is no way with current hardware to write-protect the NAND storage, and<br>
not too much space (<<512K) in the firmware storage. However, it would be<br>
possible to hash NAND or some subset thereof, and complain loudly on boot if<br>
it changed.<br>
</blockquote>
<br></div>
not really, you would have to hash NAND on every shutdown. remember everything you do is in thr journal on NAND, and any change (including things like a file timestamp, including atime) will invalidate your hash.<br>
<br>
David Lang<div><div></div><div class="Wj3C7c"><br>
</div></div></blockquote><div>The idea would be to have a separate read-only volume on NAND, which included everything executable as root (in other words, 90-100% of glucose and ribose; the kernel, though, is already signed, so could be elsewhere). Mounting this ro would prevent silly atime breakage, and there could be strong protections to prevent anything NOT on this volume from being considered "executable" by root. (Of course, this is not the whole story, as there are uncountable ways for non-"executable" stuff to compromise security; but it is a start. It would break any rpm's that only know how to run as root - but these are broken anyway.) <br>
</div></div><br>