Treacherous Computing (Re: [PATCH] use UUIDs for cross-disk installs)

[Robert Millan <rmh@aybabtu.com>]

On Sun, Aug 03, 2008 at 01:04:05PM -0400, Isaac Dupree wrote:
> 
> I'm actually a little more worried about the combination of 
> overworked/confused sysadmins making mistakes, and GRUB 
> (potentially) not being completely deterministic in the face 
> of additional drives (which is inherently confusing because 
> it rarely matters).  And some of my situations are 
> hit-or-miss anyway: if you (the intrepid user trying to boot 
> from CD) don't even trust the contents of the hard disk, 
> most likely the BIOS or boot process could be corrupted too. 
>  I suppose I haven't yet seen any duplicate UUIDs, even 
> including FAT ids, so I shouldn't worry so much.
> 
> Anyway, I *don't* wish to trust the random CDs and USB 
> drives I plug in without my explicit say-so, and that's been 
> true at least on the Mac for years and years before TPM 
> chips became common, probably even before CDs became common. 
>  The point is that giving my explicit say-so is easy.  The 
> way I interpret that in the case of a bootloader that's not 
> built in but that's on one of the drives, is that GRUB only 
> trusts the drive it's on (and the RAM, CPU etc.) by default, 
> or whatever configuration of hardware you want to specify 
> allowing in grub.cfg?  (Or maybe just a well-defined search 
> order is sufficient -- but it would be odd to find something 
> identified by UUID on a different disk than it was 
> originally, so the user might want to be asked if all is as 
> s/he intended.)  Of course at GRUB commandline you can still 
> boot from CD!  Locking away GRUB's powers from its user is a 
> completely different matter!

I see.  Well I think the answer to your questions will be when we stop
reliing on BIOS completely and use Coreboot/GRUB.

> >So-called "Trusted" Computing is just a blatant excuse to steal your music 
> >and
> >your documents.  Don't drink the kool aid.
> 
> I was a bit worried that my using words like "genuine" and 
> "trust" and "attacker" was going to make people think "oh 
> no, DRM!", which is when I have software that doesn't trust 
> me (eeek!), rather than vice versa

Yeah, I wish we could bring back true meaning of words.  It's so
difficult now... :-/

To put it clearly, I think Trusted Computing can be a great idea, but it
basicaly doesn't exist yet.  All we have is this treacherous crap they try
to sell as "Trusted" when in fact you don't own your crypto keys and they
pretend (as per spec) to use them as a challenge against you (i.e. sign this
with _our_ key or you're a criminal).

> >Or use a crypto module where you load a key from a secure environment and 
> >use
> >that to implement measurement during boot.  The TPM could have become such
> >module, but they decided to cripple it by:
> >
> >  a) Loading the key themselves.
> >  b) Not giving you a copy of the key.
> >
> >I still hope sooner or later a sane company (that is, one that understands
> >basic rights like ownership) will manufacture modules for this purpose.
> 
> I suppose (if it existed), that would help tell me whether I 
> had actually booted the GRUB that I'd meant to boot.  But I 
> don't understand how hardware-level encryption works well 
> enough.  (Anyway, from everything I've heard about its 
> special capabilities, it can't even detect when the 
> inevitable security flaws in the software you're using are 
> being exploited! kaboom, any assumptions about what that 
> means for the system's state go out the window!)

Of course.  The whole point is not to make your software secure, but to
redefine the security model.

By default (the Universe was made this way), the security model is that
physical access is the root of trust.  If you have physical access your
computer "trusts" you as you can make it do anything you want.

Inserting an unbreakable chip can change this model, making it possible for
the owner to be someone without physical control.  Of course, this could be
desireable when the user is not the legitimate owner of the device (e.g. a
voting machine), but they designed the scheme in a way (no procedure for key
retrieval, etc) that even the legitimate owner can be excluded from accessing
the root of trust, turning the whole thing into a parody of what security
means for users.

-- 
Robert Millan

  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
  how) you may access your data; but nobody's threatening your freedom: we
  still allow you to remove your data and not access it at all."