On Wed, 2005-11-16 at 10:09 -0500, James Morris wrote: > On Tue, 15 Nov 2005, David Safford wrote: > > > device driver, based on a trusted boot. Since the kernel master > > key is unsealed by the hardware TPM only as a result of a valid > > trusted boot, and the key is never visible outside the kernel, > > the EVM HMAC attribute cannot be forged in an offline attack. > > More comments to follow, but I think this claim is confusing. > > If a kernel contains a vulnerability which allows userland to arbitrarily > access kernel memory, the HMAC could be forged later. > > A "trusted" boot here only means that the kernel was not tampered with > after installation, not that you can trust the kernel. Verified boot is > probably a better term. You are absolutely correct in what "trusted boot" means, (and doesn't mean) here, and that the description should be clearer. The term, unfortunately seems to have stuck in the literature. Vista is claiming a similar trusted boot, so perhaps we should keep the term, while trying to be clearer about what it really means. dave safford
This archive was generated by hypermail 2.1.3 : Wed Nov 16 2005 - 10:22:11 PST