Booting encrypted
Bruce M Simpson
bms at spc.org
Tue Sep 7 14:41:22 PDT 2004
On Tue, Sep 07, 2004 at 01:54:43PM -0700, ctodd at chrismiller.com wrote:
> If the authorization mechanism is limited to plain text, then yes. I know
> that "strings" can be used to attempt to find the passphrase in the load,
> but there may be ways to prevent the passphrase from being retrieved in
> this manner.
On the other hand, you could use TCPA. Support for the TCPA chips found in
many recent IBM machines, particularly the ThinkPad T4x series, was written
for NetBSD by the folks at CITI. It's on my wishlist.
You could probably teach GDBE about TCPA key retrieval, but the upshot is,
you still need to log in to the TCPA chip. However, if you activated TCPA
and only allowed it to boot your FreeBSD-derived product OS, by means of
their signature mechanism, then you might well achieve your stated aims.
BMS
More information about the freebsd-hackers
mailing list