[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]
dalini
dalini at datenschleuder.org
Sat Sep 4 10:47:39 UTC 2004
Russell Coker wrote:
> When booting from removable media that contains the decryption key the attack
> scenario would be to replace the BIOS with one that sends everything it reads
> from disk (IE everything that the boot loader reads) over an Ethernet
> interface.
>
> A trojan BIOS that modifies the kernel during the boot load process to
> introduce a security hole would be doable if you have adequate resources.
>
there is a second option (also bios and startup related):
you can put an additional pci-extension-bios to any pci-card which have
a own pci-extension-bios for setting up its hardware, the chips are
usaly 64k but not fully used (graficcard, networkcard, ...) and the
point is, the standard allows you to put several
pci-extension-bios-images into one of such eeproms which just point to
each other and get called through the main-bios
so its not really necessary to exchange the system bios, get your hands
on a pci-card with a extension-bios may be enough... so keep your eyes
open if you change hardware ;)
and this is working practical, i have written a pci-extension-bios which
actuly was sitting at (in this case) the network card for
reading/setting bios-settings (nvram) during boot-up process at the
serial port some years ago (was for some semiautomatic setting up
process of 'black-box' hardware with no keyboard monitors attached to
it) ok - second problem here, would be getting the code surviving in ram
the boot-up sequence of the operating system, but i'm sure this won't be
any problem for some ppl with the necessary skills
i'm not sure about the pci-x-standard, but i think this could be working
similar
greetings
dalini
More information about the fedora-selinux-list
mailing list