[GTALUG] A question about boot

[D. Hugh Redelmeier]

[This is a copy of a reply I sent to another list.]

| From: David Collier-Brown <davec-b at rogers.com>

| Who can talk about (intel or arm) boot? I'm looking at a problem that can be
| solved by setting up a device at boot time and not letting the OS have the
| privilege or perhaps the physical ability to change it...

Not enough information for me to understand the constraints.

What's your threat model?  

- Are you scared of the OS, the user of the OS, or something else?

- Are you scared of random misbehaviour or an intentional attack

- Can you control physical access to all or part of the system?

What would enforce change prevention?  Some things come to mind:

- the device itself could be set in an unchangeable mode after setup

  + eg. a physical switch that latches until "reset" (but this becomes
    a recursive problem:  how to prevent the OS from resetting the
    device).

- security through obscurity: ability to change the device is hidden
  behind a secret handshake only known to the initiates.  We generally
  distrust this kind of approach.

- security through a layer of indirection that implements the
  protection policy that you require

  + put a little controller (Raspberry Pi?) between the device and the
    computer.  You would probably need physical protection of the device
    from the Bad Guys (an OS?  A bad operator?)

  + run the OS under a VM system that implements the policy.

  + Conventional PCs have a mysterious "SMM" that overrides anything
    that the OS thinks it can do.  It is part of the firmware commonly
    called the BIOS and isn't easily mucked with by mortals.  With a
    high enough budget, SMM might be a useful vector.

But maybe you already have a solution in mind, with some blank bits,
and haven't sketched this for us.