From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1LdByH-0005fB-07 for mharc-grub-devel@gnu.org; Fri, 27 Feb 2009 18:18:21 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LdByF-0005d5-Oq for grub-devel@gnu.org; Fri, 27 Feb 2009 18:18:19 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LdByE-0005bW-Tt for grub-devel@gnu.org; Fri, 27 Feb 2009 18:18:19 -0500 Received: from [199.232.76.173] (port=53873 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LdByE-0005bA-Mt for grub-devel@gnu.org; Fri, 27 Feb 2009 18:18:18 -0500 Received: from mail-fx0-f172.google.com ([209.85.220.172]:60751) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LdByE-0004tZ-ET for grub-devel@gnu.org; Fri, 27 Feb 2009 18:18:18 -0500 Received: by fxm20 with SMTP id 20so1278010fxm.42 for ; Fri, 27 Feb 2009 15:18:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=TBQ+Rjz9M+wCeKoPx/f+GmLZu5qCQnEXIvuerdaifng=; b=s8qU3Hn/zn5OFqc1nq52oVS7FoPJYBlnat4Kr6w3kGqI0y0n/rMJ05lnUgXodIk3Zf PGa+3hwO9qY3v1aaHTishz5rNVzXC3V7vD0M5PdhjI7JQ+mcB79OGmg7bWDoHdsdg2qW Yj8TciqOWPGMufdq5mgRBqqRwawoF4W6t+tmU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=YwIDdjrVbzFv5tPXhPT5qTwLZDTeb85JELO9iBshnLuGrGKRPoonh8Hl3lBuYaMBDe YE2NAYCa+gFhpg9lFtXBsNoHnN5/UM+Z7hkU5/XvLYbSWWvQbz7y6Qdd3W/bUutvDPLW DcRplQ1P5D/EiN04j+Rqqrjj9XUdqINXcXev8= Received: by 10.86.74.4 with SMTP id w4mr3782636fga.22.1235776697423; Fri, 27 Feb 2009 15:18:17 -0800 (PST) Received: from ?192.168.1.25? (220-185.62-81.cust.bluewin.ch [81.62.185.220]) by mx.google.com with ESMTPS id l12sm1189458fgb.31.2009.02.27.15.18.16 (version=SSLv3 cipher=RC4-MD5); Fri, 27 Feb 2009 15:18:17 -0800 (PST) Message-ID: <49A874B9.8030403@gmail.com> Date: Sat, 28 Feb 2009 00:18:17 +0100 From: phcoder User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: The development of GRUB 2 References: <49A152BD.6010907@student.ethz.ch> <20090227204226.GI31629@thorin> <49A861A0.2000601@student.ethz.ch> <20090227222230.GA7907@thorin> <49A86F7B.8030201@gmail.com> <49A872D1.5010608@student.ethz.ch> In-Reply-To: <49A872D1.5010608@student.ethz.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2) Subject: Re: GRUB hardened boot framework X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GRUB 2 List-Id: The development of GRUB 2 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 23:18:20 -0000 > If the code that does the authentication is loaded from the encrypted partition, > without being checked, this is true, but we assume, that core.img is already > loaded (and checked), so the authentication code is not on the encrypted > partition, and can detect any tampering. As far as I understood Robert Millan was suggesting that just encrypting (but not verifying) your kernel is enough. I wanted to show wha it isn't -- Regards Vladimir 'phcoder' Serbinenko