Re: Broken dream of mine :(

[Michal Suchanek]

2009/9/21 Sam Mason <address@hidden>:
> On Mon, Sep 21, 2009 at 02:49:46PM +0200, Arne Babenhauserheide wrote:
>> Now imagine this as general protection measure for the whole internet.
>
> The point I was trying to make is that this doesn't work for "the
> whole internet".  This is for a small, mostly homogeneous, sets of
> systems and you want to be sure of what code they're running.  These
> computers may indeed be connected over the internet and hence be in
> different administrative domains.  TPM helps to make sure the admins are
> honest, but as they have the hardware there's always the chance they
> could physically alter the hardware in ways that it doesn't notice.
> Non-physical attacks should be prevented though.

Well, this was discussed to death on another list (grub-devel). The
admins typically do have physical access, and physical access makes it
possible to launch quite a few attacks that are feasible with
resources a system administrator would typically posses (spare
hardware parts, digital voltmeter).

If you really want to protect against that you *need* physical
security. And if you do have physical security you have to do the
administration yourself anyway so the system need not protect against
an administrator.

On the other hand, a TPM based verification is enough to lock out an
average Joe User out of his computer.

In general it gives false sense of security which is worse than
useless yet if abused it can cause additional damage.

I would avoid that thing altogether.

Thanks

Michal