Who can talk about (intel or arm) boot? I'm looking at a problem that can be solved by setting up a device at boot time and not letting the OS have the privilege or perhaps the physical ability to change it... --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
You need a write only device. You could boot from a CD/DVD which is write only. Or possibly an SD card that has the write-lock enabled. If the computer does not support an SD card you could use usb card reader to boot from. Of course in the worst case situation someone smart enough could rewrite the BIOS and get around any boot device. On 01/05/2017 08:38 AM, David Collier-Brown via talk wrote:
Who can talk about (intel or arm) boot? I'm looking at a problem that can be solved by setting up a device at boot time and not letting the OS have the privilege or perhaps the physical ability to change it...
--dave
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
The intention is to put the device setup into the boot ROM, so it can't (easily) change, but the working assumption is that one can * discard the privilege used to set up the device , or * be physically unsettable after it is initialized I don't know the privilege primitives for intel/ARM, or if one needs a latch somewhere to make the device write-once: I'd love to talk to someone who does. --dave On 05/01/17 08:47 AM, Alvin Starr via talk wrote:
You need a write only device.
You could boot from a CD/DVD which is write only.
Or possibly an SD card that has the write-lock enabled.
If the computer does not support an SD card you could use usb card reader to boot from.
Of course in the worst case situation someone smart enough could rewrite the BIOS and get around any boot device.
On 01/05/2017 08:38 AM, David Collier-Brown via talk wrote:
Who can talk about (intel or arm) boot? I'm looking at a problem that can be solved by setting up a device at boot time and not letting the OS have the privilege or perhaps the physical ability to change it...
--dave
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
I have not had much experience with ARM booting but with Intel devices a normal linux kernel has the ability to write any and all devices. If you boot with something like Xen then you should be able to lock out some devices because the Xen kernel is actually managing the system security. There is a Xen kernel available for ARM but I have never worked with it. Likely the easiest would be to put the boot into a write protected USB device. Take a look at http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protec... It appears that my suggestion of an SD card may have a bad one since from the above article SD cards are using the switch only as a signal to the OS of write-protectedness. On 01/05/2017 09:15 AM, David Collier-Brown via talk wrote:
The intention is to put the device setup into the boot ROM, so it can't (easily) change, but the working assumption is that one can
* discard the privilege used to set up the device , or * be physically unsettable after it is initialized
I don't know the privilege primitives for intel/ARM, or if one needs a latch somewhere to make the device write-once: I'd love to talk to someone who does.
--dave
On 05/01/17 08:47 AM, Alvin Starr via talk wrote:
You need a write only device.
You could boot from a CD/DVD which is write only.
Or possibly an SD card that has the write-lock enabled.
If the computer does not support an SD card you could use usb card reader to boot from.
Of course in the worst case situation someone smart enough could rewrite the BIOS and get around any boot device.
On 01/05/2017 08:38 AM, David Collier-Brown via talk wrote:
Who can talk about (intel or arm) boot? I'm looking at a problem that can be solved by setting up a device at boot time and not letting the OS have the privilege or perhaps the physical ability to change it...
--dave
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
participants (2)
-
Alvin Starr -
David Collier-Brown