On Thu, Apr 15, 2004 at 09:27:53AM +0100, Colin Watson wrote: > Where I work at the moment (a company selling cryptographic hardware > security modules), module firmware is signed using a highly secure key, > and modules we release into the field will not accept new firmware > unless it comes with a valid signature from this key. [...] > (since, if you could > upload trojaned firmware, then so could an attacker who's taken over > your host system, and the point of hardware security is to protect your > keys even if the host system is compromised). Going off topic really, but there are two ways you can deal with this: one is by only allowing the firmware to be changed when a jumper is set -- so that you need physical access as well as root@ to upload unauthenticated firmware -- and the other is to use a key that's controlled by the owner of the hardware, rather than by your company. Or you could use them both -- making it possible to change the key only when a jumper's set, and only possible to upload firmware authenticated by whatever key is set. In the long term, these problems can be solved; and in the short term, well, non-free firmware isn't a sin anyway. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> Don't assume I speak for anyone but myself. GPG signed mail preferred. Protect Open Source in Australia from over-reaching changes to IP law http://www.petitiononline.com/auftaip/ & http://www.linux.org.au/fta/
Attachment:
signature.asc
Description: Digital signature