Booting encrypted

Peter Pentchev roam at ringlet.net
Wed Sep 15 18:02:47 PDT 2004 

On Wed, Sep 15, 2004 at 07:30:19PM -0500, Frank Knobbe wrote:
> On Tue, 2004-09-07 at 15:22, Steve Watt wrote:
> > Having the password compiled in to something that's necessarily clear-text
> > on the same media?
> 
> Sorry for being late... I'm still catching up on piles of email :)
> 
> 
> Instead of having a plaintext password on the same media, how about a
> mechanism that reads the CPU's serial number, or some other hardware
> dependent number that can not be read by users on a system. If the drive
> gets removed from the system, the attacker would have a challenge.
> 
> Of course you have to be careful before you replace failed hardware that
> is used to derive the key :)  Don't replace the failed CPU before you
> decrypted... no wait... uhm...   :)   Okay, how about an offline copy of
> the number in case of hardware failure... :)
> 
> Seriously though, tying the boot process to a hardware dependent value
> that is not accessible from within the booted system might be something
> to consider. 
> 
> Any thoughts?

One word that Bruce M. Simpson already mentioned: TCPA :)

Well, it's not exactly what you describe, but it is basically what you
describe done right - no offense intended, of course, I mean that the
TCPA specs at http://trustedcomputinggroup.org/home seem to provide the
benefits that you are looking for in a framework that mostly alleviates
the problems.  Of course, the key word is 'mostly', and there is more to
TCPA than just encrypted booting, and there are lots of people who
disagree with the 'more' part, but still you might want to take a look
at it.

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at cnsys.bg    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I am the meaning of this sentence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20040916/ac2ba406/attachment.bin

More information about the freebsd-hackers mailing list