Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Sep 2004 20:24:06 -0700
From:      Bruce M Simpson <bms@spc.org>
To:        ctodd@chrismiller.com
Cc:        Frank Knobbe <frank@knobbe.us>
Subject:   Re: Booting encrypted
Message-ID:  <20040916032406.GC7413@empiric.icir.org>
In-Reply-To: <Pine.BSI.4.58L.0409151855130.8383@vp4.netgate.net>
References:  <200409072022.i87KM7Kf049770@wattres.Watt.COM> <20040916010317.GN1001@straylight.m.ringlet.net> <Pine.BSI.4.58L.0409151855130.8383@vp4.netgate.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello,

It really depends on how far you want to go to protect the product, and
what your threat model looks like.

On Wed, Sep 15, 2004 at 07:17:33PM -0700, ctodd@chrismiller.com wrote:
> My main objective is to prevent someone from removing the drive and
> mounting it from another *nix system and turning it into a unix toy
> (turning on shell access, etc) which it's not designed to be, as well as
> getting at the application and configuration. By having encryption done by
> the loader in such a way that the key can not be derived, protects the
> entire filesystem from tampering. Nothing this appliance is going to be
> doing requires super fast disk i/o so encryption is not an issue. In fact
> I've even considered using flash instead of a drive, but the same issue is
> there.

This is more or less what I'd proposed. The key element here is that if your
key for the hard drive is stored IN ANY WAY on the hard drive, particularly
in or near the loader, your appliance would be cracked fairly easily.

Using TCPA, you could lock down your device in this way, and extract the
symmetric key for the media from nonvolatile secure storage on the chip
once the OS has logged into it. Of course you'd have to sign the OS image
in such a way that booting it unlocked the secure storage. I haven't
researched this point in depth but I think it may be possible.

The TCPA chip generally hangs off the ICH chip in Intel chipset based
systems, on the LPC bus PCI function; it's possible that you could retrofit
this to a board if the existing board design does not have TCPA pinned out,
by pinning out LPC, or by pinning out ISA and slotting it in on a board.

Regards,
BMS



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040916032406.GC7413>