Date: Tue, 7 Sep 2004 14:41:16 -0700 From: Bruce M Simpson <bms@spc.org> To: ctodd@chrismiller.com Cc: hackers@freebsd.org Subject: Re: Booting encrypted Message-ID: <20040907214116.GB815@empiric.icir.org> In-Reply-To: <Pine.BSI.4.58L.0409071341060.19821@vp4.netgate.net> References: <200409072022.i87KM7Kf049770@wattres.Watt.COM> <Pine.BSI.4.58L.0409071341060.19821@vp4.netgate.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 07, 2004 at 01:54:43PM -0700, ctodd@chrismiller.com wrote: > If the authorization mechanism is limited to plain text, then yes. I know > that "strings" can be used to attempt to find the passphrase in the load, > but there may be ways to prevent the passphrase from being retrieved in > this manner. On the other hand, you could use TCPA. Support for the TCPA chips found in many recent IBM machines, particularly the ThinkPad T4x series, was written for NetBSD by the folks at CITI. It's on my wishlist. You could probably teach GDBE about TCPA key retrieval, but the upshot is, you still need to log in to the TCPA chip. However, if you activated TCPA and only allowed it to boot your FreeBSD-derived product OS, by means of their signature mechanism, then you might well achieve your stated aims. BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040907214116.GB815>