[coreboot] LinuxBIOS/coreboot and security

[Carl-Daniel Hailfinger]

On 27.01.2008 23:32, Torsten Duwe wrote:
> On Saturday 26 January 2008, Carl-Daniel Hailfinger wrote:
>   
>> Hi Philipp,
>>
>> On 25.01.2008 12:50, Philipp Marek wrote:
>>     
>>> My question is this. I'd like to secure machines against the
>>> people that should work with them [1].
>>>       
>> Ah. Classic DRM.
>>     
>
> DRM does not work.
>   

Single-chip solutions with an embedded TPM at least make attacks really
difficult.

> The only use I can think of is a student pool at the university.
>   

Or maybe a company wants to secure their machines against their employees.

>> Do you control (manufacture) the hardware?
>>     
>
> Even that does not help. Ask M$ about a thing called "Ex-box" (or so...)
>   

Agreed. However, if somebody manufactures the hardware, he has a lot
more options to make tampering difficult than someone whi simply sticks
a board in a case and tries to solve the problem in software.

>> There is no easy way to set the bar higher. It will almost always cost
>> you a lot more time to secure a machine than it takes the user to break it.
>>     
>
> Not if it's under surveillance, like a student's computer pool room, subject 
> to unannounced inspection. In that scenario cases with a single screw have 
> proven themselves. That screw is then chained and locked.
>   

Yes. Surveillance is indeed a very promising way for tamper prevention.
Another way without direct surveillance would be installing an alarm
system with a really loud acoustic signal. If the signal is guaranteed
to be heard outside the room, you don't need surveillance inside the
room. That option may help in case direct surveillance is prohibited by law.


Regards,
Carl-Daniel