[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

dalini dalini at datenschleuder.org
Sat Sep 4 10:47:39 UTC 2004


Russell Coker wrote:

> When booting from removable media that contains the decryption key the attack 
> scenario would be to replace the BIOS with one that sends everything it reads 
> from disk (IE everything that the boot loader reads) over an Ethernet 
> interface.
> 
> A trojan BIOS that modifies the kernel during the boot load process to 
> introduce a security hole would be doable if you have adequate resources.
> 
there is a second option (also bios and startup related):

you can put an additional pci-extension-bios to any pci-card which have 
a own pci-extension-bios for setting up its hardware, the chips are 
usaly 64k but not fully used (graficcard, networkcard, ...) and the 
point is, the standard allows you to put several 
pci-extension-bios-images into one of such eeproms which just point to 
each other and get called through the main-bios

so its not really necessary to exchange the system bios, get your hands 
on a pci-card with a extension-bios may be enough... so keep your eyes 
open if you change hardware ;)

and this is working practical, i have written a pci-extension-bios which 
actuly was sitting at (in this case) the network card for 
reading/setting bios-settings (nvram) during boot-up process at the 
serial port some years ago (was for some semiautomatic setting up 
process of 'black-box' hardware with no keyboard monitors attached to 
it) ok - second problem here, would be getting the code surviving in ram 
the boot-up sequence of the operating system, but i'm sure this won't be 
any problem for some ppl with the necessary skills

i'm not sure about the pci-x-standard, but i think this could be working 
similar


greetings
dalini



More information about the fedora-selinux-list mailing list