Re: SHA-1 MBR - phcoder

All of lore.kernel.org
 help / color / mirror / Atom feed

From: phcoder <phcoder@gmail.com>
To: The development of GRUB 2 <grub-devel@gnu.org>
Subject: Re: SHA-1 MBR
Date: Sat, 21 Feb 2009 00:41:45 +0100	[thread overview]
Message-ID: <499F3FB9.9070304@gmail.com> (raw)
In-Reply-To: <499F376C.60906@student.ethz.ch>

Hello
Jan Alsenz wrote:
> Hi!
> 
> Wow, cool work!
Thanks
> It's not complete SHA-1, but the rest should be just a constant offset.
I already said how it differs from standard one. If you feed padded 
byteswapped data to it and then byteswap the rsult back you obtain 
exactly normal SHA-1. But as I said if size is fixed it's compeletely 
equivalent in security to normal SHA-1 (you can easily prove formally 
that any successful attack on one variant immediately results in 
successful attack on another variant)
> 
> But I'm still not sure, what you are trying to do here, is the MBR your root of
> trust?

I'm trying to achieve universal verification scheme which is able to do 
what is needed to support tpm ("prolonging chain of trust" in tpm 
unstandard parlance) without using tpm itself. Such scheme can in future 
be useful in other applications as well.
 > If not, who checks the MBR?
This can't be done by grub because it happens before any part of grub is 
loaded. to verify grub you need to rely on vendor/platform-specific 
mechanisms.
I personally find "tpm without tpm" more attractive because it can be 
easily reused on another platform or any alternative to tpm (perhaps 
anybody here or coreboot folks will come up with something). 
Additionally it workarounds many bios and tpm bugs.
I will continue working on sha-1 boot. My goal is to load core.img 
checked. After that point there is much more space and any signature 
based solution can be used.
> 
> Greets,
> 
> Jan
> 
Regards
Vladimir 'phcoder' Serbinenko

next prev parent reply	other threads:[~2009-02-20 23:41 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-20 21:50 SHA-1 MBR phcoder
2009-02-20 23:06 ` Jan Alsenz
2009-02-20 23:41   ` phcoder [this message]
2009-02-21  0:32     ` Jan Alsenz
2009-02-21  1:02       ` Isaac Dupree
2009-02-21  1:21         ` Javier Martín
2009-02-21  9:43           ` phcoder
2009-02-21  8:56       ` Jan Alsenz
2009-02-21 13:27         ` phcoder
2009-02-21 14:12           ` phcoder
  -- strict thread matches above, loose matches on Subject: below --
2009-02-21  2:21 Alex Besogonov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=499F3FB9.9070304@gmail.com \
    --to=phcoder@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.