Intel to include DRM in new Pentium 4 series processors
Adam Back
adam at cypherspace.org
Fri, 13 Sep 2002 18:14:35 +0100
On Sat, Sep 14, 2002 at 12:40:10AM +0800, Brian Gladman wrote:
> > The tiny minority who really want `secure boot' are better off booting
> > from a CD
>
> I don't agree since there is too much boot code (with hooks) that runs
> before the CD drive becomes available.
The only boot code that runs prior to CD drive availability is the
BIOS. Are you suggesting BIOS hacks? Hardware hacks?
BIOS typically has a dip switch or jumper on the motherboard where you
can disable BIOS upgrades. Seems setting your BIOS to this state, and
booting from a CD-ROM provides all of the security of the TPM secure
boot steps with TCPA.
The point is a component which can not be modified without
user-present tests, and explicit user approval which then verifies
prior to loading the rest of the boot steps. A read-only floppy,
CD-ROM, or more conveniently flash-RAM USB fob thing (some have
read-only switches on them) provides everything the TPM provides in
the way of user functions relating to secure boot.
Remote attestation of course is a different matter, but this is of
questional value to the user -- of more value to a content distributer
or software distributor in controlling the state of a user machine.
(Controlling in the sense of forcing the user to run particular
software to participate).
Adam
--
http://www.cypherspace.net/