[ale] OT: micro mini nano PC

Phil Turmel philip at turmel.org
Mon Feb 1 11:02:16 EST 2016


On 02/01/2016 10:33 AM, Steve Litt wrote:
> On Mon, 01 Feb 2016 06:25:42 +0300
> damon at damtek.com wrote:

>> Well, actually, its to protect against a blue pill exploits where a
>> hypervisor "lifts" the OS off of the hardware and at that time the OS
>> does not know it is virtualized and the exploiter has complete,
>> uncontested control and access to the OS. In theory it is OS agnostic
>> and has been proofed in the lab. I don't know of any wild exploits.
> 
> Like so many other things, this is a tradeoff. Yes, secure boot
> protects from an exploit below the level of the OS, and might be the
> only practical way to do so. On the other hand, it restricts you to
> software possessing a key that costs money. Worse, a key signed by
> Microsoft.
> 
> No problem: The purchaser gets to leave it on or turn it off. Oops, not
> any more. Hardware manufacturers can choose to remove the on/off
> switch, and worse yet, that on/off switch *never* appears on their
> specification sheets, so you guess and return. Or more likely, many
> people are assimilated into the Redhat SuSE Debian Ubuntu conglomerate.

But if you *do* have a mobo with configurable secure boot, you can
replace the certificates with your own, then sign your own kernels.
Then *nothing* will run before your OS on that box.

http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/

Phil


More information about the Ale mailing list