[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more evil firmwares found

On Thu, Apr 15, 2004 at 09:27:53AM +0100, Colin Watson wrote:
> Where I work at the moment (a company selling cryptographic hardware
> security modules), module firmware is signed using a highly secure key,
> and modules we release into the field will not accept new firmware
> unless it comes with a valid signature from this key. [...]

> (since, if you could
> upload trojaned firmware, then so could an attacker who's taken over
> your host system, and the point of hardware security is to protect your
> keys even if the host system is compromised).

Going off topic really, but there are two ways you can deal with this: one
is by only allowing the firmware to be changed when a jumper is set -- so
that you need physical access as well as root@ to upload unauthenticated
firmware -- and the other is to use a key that's controlled by the owner
of the hardware, rather than by your company. Or you could use them
both -- making it possible to change the key only when a jumper's set,
and only possible to upload firmware authenticated by whatever key is set.

In the long term, these problems can be solved; and in the short term,
well, non-free firmware isn't a sin anyway.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
Don't assume I speak for anyone but myself. GPG signed mail preferred.

Protect Open Source in Australia from over-reaching changes to IP law
http://www.petitiononline.com/auftaip/ & http://www.linux.org.au/fta/

Attachment: signature.asc
Description: Digital signature

Reply to: