Re: Cryptoloop patch for builtin default passphrase

[Bill Davidsen <davidsen@tmr.com>]

Valdis.Kletnieks@vt.edu wrote:
> On Mon, 25 Oct 2004 19:23:35 BST, Paulo Marques said:
> 
> 
>>(why would you need confidential information to boot in the first place?)
> 
> 
> The problem is not that the info in the NVRAM is "confidential",
> but that most of it is "configuration".
> 
> Really sucks if you recable your SCSI controllers, the default boot disk
> changes from controller 4, device 5, to controller 2, device 3 - and you
> have to go and re-cable the OLD way, find the rescue CD, and fix /etc/fstab
> so that you can boot in the same config that you installed the software?
> 
> Either that, or forever lose the use of "default boot device", and
> have to specify it on every single boot if you want the software to work.
> That *really* sucks if it's a rack-mount in a colo, you need to get physical
> access to reboot....
> 
> 
>>No it is not. You would just type in again *if* the contents of nvram 
>>got lost which shouldn't happen in the first place (or at least happen 
>>rarely).
> 
> 
> So you change IRQ9 from level to edge trigger, or change "default boot order"
> from "floppy, cd, hard drive" to "floppy, cd, hard drive, network", and
> suddenly your software evaporates?
> 
> That certainly violates the Principle of Least Surprise, and why I asked
> if it was an intended effect.

It depends on the intent of the encryption. If the purpose is the 
protect the data, then this is acceptable. In some cases it is more 
important to protect the data than to preserve them.

More to the point, I thought there was a small section of nvram reserved 
to local system use, which the BIOS should not change. The appropriate 
manual is 100 miles away, I have no time to google. Beside which someone 
will pop up with the answer before I could look ;-)

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me