[Etherboot-developers] CVS COMMIT: Safe booting concept
Brought to you by:
marty_connor,
stefanhajnoczi
Menu
▾
▴
[Etherboot-developers] CVS COMMIT: Safe booting concept
|
From: Anselm M. H. <an...@ho...> - 2003-05-05 23:29:36
|
> ---)World Domination Of Etherboot(--- If this is our commonly accepted goal, hopefully we are one step further. I just commited SafeBoot into CVS (5.1 only, of course) Documentation and a helpful script are in the safeboot folder in the contrib section. Openssl required for key management and digital signatures. After having some discussion, especially with Ken, I decided to implement as follows: A new Config switch named "SAFEBOOTMODE" has been introduced. Depending on where to read the public key from and where to find the digital signature, it must be set to an integer value - at this time, only 0 (zero) is supported which means: public key stored in include/safeboot_key.h (script creates this file for you, the one in CVS is just a sample) and the digital signature is stored in an NBI unused header section - so only tagged .nbi format (not elf....) supported. With code from 5.0 (md5.c), a checksum over everything but the dig.signature is created, then the digsig is unpacked and compared with the checksum. If it does not match, user must explicitely confirm that booting shall proceed. I have to mention I used RSAEuro toolkit with their permission - it is now even free to ex/import in US as RSA is now in Public Domain thanks to RSA inc. Dig into it, have a lot of fun. BTW: I tested it, and it worked. Best regards, Anselm Martin Hoffmeister Stockholm Projekt Computer-Service <an...@ho...> -- Merke: Nicht das OS macht dich zu einem interessanteren Gespraechs- partner, sondern das, was du darueber weisst. Und die Toleranz macht dich dann noch zu einem liebenswerten Gespraechspartner. (Buelent Caliskan in de.org.ccc) |
