Re: Re[2]: 'password' command in GRUB 2?

[Vladimir 'phcoder' Serbinenko]

On Wed, Aug 26, 2009 at 1:51 PM, Michal Suchanek<address@hidden> wrote:
> 2009/8/25 Vladimir 'phcoder' Serbinenko <address@hidden>:
>>> However, that CVE is about grub leaving its passwords in memory.
>>> Wiping memory used by grub should be fast - orders of magnitude faster
>>> than loading the OS kernel for example.
>> Actually this specific report is about BIOS leaving its keyboard
>> buffer - you can find BIOS password there too. As BIOS is proprietary
>> firmware whatever we do we can never ensure it being secure. Even the
>
> Even if many BIOSes leave their password there it's not reason to be as 
> sloppy.
>
Let me clarify my position:
1) If someone submits a patch with clean (E.g. shredding grub_free,
ensure there is no memory leak and a shredder for BIOS buffer) then I
would recomment to merge this patch
2) This is a considerable amount of work and not a priority.
3) It's not a reason to hold the release
> I am not particularly concerned about this issue but the BIOS
> typically requires a reboot after typing the password so if it is
> half-decently implemented it clears the buffer during initialization.
> If it does not it's not grub's concern, it should do its part by
> clearing its own sensitive data (if any).
Actually what was described in original link is exactly BIOS leaving data behind
>
> Thanks
>
> Michal
>
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/grub-devel
>



-- 
Regards
Vladimir 'phcoder' Serbinenko

Personal git repository: http://repo.or.cz/w/grub2/phcoder.git