No announcement yet.

Lennart Poettering Talks Up A "Brave New Trusted Boot World" For Linux

  • Filter
  • Time
  • Show
Clear All
new posts

  • The Design of a Reasonably Secure Digital Computer System

    (version 2.0)

    (...continued from the previous post...)

    === Discussion ===

    A reader of this article might wonder: what exactly was proved, and what are all the assumptions? This article isn't attempting to prove that the secure-system-1 can be implemented by available technologies and simultaneously satisfy the requirement of a secure system and resistance to susceptibility-to-inquisition. Instead, this claim is taken as something to be examined, or constantly refined, depending on the changing conditions of the known technologies.

    The description of the secure-system-1 has been made such that we expect it to be relatively simple to prove that the secure-system-1 can satisfy the requirement of a secure system. At the same time we expect it to be possible, by currently available technologies, to create a physical implementation of secure-system-1 that is "sufficiently" resistant to susceptibility-to-inquisition (the word "sufficiently" is not well defined here; it depends, at least, on some unspecified context).

    We expect a physical implementation of secure-system-N to be achievable by currently available technologies, inexpensive, suitable for mass-production, and "sufficiently" resistant to susceptibility-to-inquisition.

    What this article argues is that the secure-system-1 can be divided into any desired number of discrete components which form the secure-system-N, where the functionality of the secure-system-N can be made to exactly match the functionality of the secure-system-1, while at the same time secure-system-N retains all the security properties that the secure-system-1 had. When dividing secure-system-1 into multiple components, the security properties of the secure-system-1 can be retained by the use of a symmetric key cipher and write-only nvRAM.

    One important aspect of the discussion is the interface between the user and the secure-system-N. This article has described some simple and reasonable means of making that interface secure, which primarily reduces to providing some low-effort method that makes the interface between the user and the secure-system-N immune to man-in-the-middle attacks.

    While outside the scope of this article, it can be noticed that the properties of the secure-system-N are very similar to the properties of the user. When the trivial differences between them are ignored, it can be observed that the user and his secure-system-N form a secure cybersystem, which can be perceived as a one whole, where the property of security is retained by denying the capabilities of a man-in-the-middle on the easily accessible internal interfaces of the secure cybersystem.

    Another important aspect of this article is that it provides a description of a reasonably secure and practical secure-system-N. As an ideal, the secure-system-N can be compared to the actual systems of today. In this comparison, a reader can quickly find out where the systems of today are lacking in security when compared to the secure-system-N.​​

    (the end of the article)
    Last edited by xfcemint; 20 November 2022, 03:52 PM.


    • Summary of the article:

      The best way to figure out what the article is about is to compare the secure-system-N (the ideal) to available commodity computers.

      The article claims (hopefully correctly) that it is possible to defend a slightly enhanced commodity computer from evil maids of substantial capabilities.

      The difference compared to an ordinary computer is that the secure-system-N must integrate, inside many components, a hardware unit called write-only nvRAM. This is what allows a secure-system-N to be much more secure than an ordinary computer.

      A write-only nvRAM can store data while powered off. The stored data cannot be directly retrieved from a write-only nvRAM. Instead, a write-only nvRAM unit can prove that it has stored the data, and the stored data can be used to encrypt or decrypt other data.

      A shared secret stored in write-only nvRAMs allows each pair of components of secure-system-N to establish a secure connection between them at power-on. Shared secrets are generated at a reset to factory defaults.

      In order for a common computer to become a secure-system-N from hardware perspective, it should integrate some write-only nvRAM inside at least the following components: CPU, keyboard controller, LCD display controller, second stage boot EEPROM. That would be a relatively simple and inexpensive modification to currently available hardware.​​
      Last edited by xfcemint; 23 November 2022, 06:30 AM.


      • I would suggest that a blog would be a better format for this, or request to post to phoronix proper, or start a new thread in General Discussion.

        The number of people who will read your article here is vanishingly small.


        • Originally posted by ll1025 View Post
          I would suggest that a blog would be a better format for this, or request to post to phoronix proper, or start a new thread in General Discussion.
          The number of people who will read your article here is vanishingly small.
          Good idea. I have created a new thread:

          Defeating Evil Maids on Commodity Hardware

          So I suggest all further discussion on this topic to be posted there.
          Last edited by xfcemint; 21 November 2022, 11:56 AM.


          • The lack of comments regarding the provided article is concerning. Especially now, when there is a short summary posted after the article, so that nobody needs to read or understand the entire article.

            The article contains everything: a detailed description of the problem, the solution, and the mathematical proof. Why is suddenly everyone so silent?

            I expected comments from:
            - people who said that they care about security, and from people who think that they care about security
            - people who claimed it to be impossible to provide a reasonable solution to the problem of evil maids
            - people who claimed, or thought, that user must always lose against an evil maid (i.e. no further improvements on the problem of evil maids can be made)
            - people who voiced their opinions so loudly at the start of this thread

            Certainly, the lack of comments is impolite at a minimum. From a grimmer perspective, it implies that there is something wrong about the quality of people participating in this thread.​


            • I think that I have figured out where the problem is. Apparently, Phoronix forums lack any measures of accountability. Even for me, it gets hard to follow who said what, who is constantly posting FUD and nonsense, and who is a reliable source of information.

              Overall, the situation is grim: the amount of correct vs. incorrect information on this forum is about 50% - 50%. Unreliable posters are continuing to poison the forums, and their abundance makes it hard for newcomers to untie the mess that they create. Then the newcomers get infected by incorrect information, and the situation keeps getting worse.

              In order to first unconfuse myself, I'm going to start making lists, in order to grade people and their posts. I'll try to take into account only those posts which are obviously correct or incorrect, i.e. if a post has some alternative interpretation, then I'll disregard such an ambiguous post.

              I'm going to start this project by considering the posts in this thread. I'll create another topic where the overall results from this thread and other threads will be accumulated.

              Then I'll be able to simply take a look at the list and immediately see who am I discussing with.


              • Here is the list of grades (grading by me) for the posts in this thread (for the purposes of adding some accountability):

                Avamander - correct
                espi - correct
                stormcrow (#10) - incorrect
                sinepgib - correct
                JMB9 - incorrect
                Avamander (#19) - correct
                Avamander (#23) - correct
                fitzie - correct
                Almindor (#37) - incorrect
                F.Ultra (#40) - correct
                F.Ultra (#42) - correct
                F.Ultra (#44) - correct
                TheMightyBuzzard (#45) - incorrect
                JanW (#56) - incorrect
                Old Grouch (#59) - mostly correct (but missing insights from secure-system-N)
                Avemander (#60) - correct
                skeevy420 (#74) - invalid argument, neither correct nor incorrect
                Danielsan (#75) - incorrect
                mdedetrich (#77) - correct
                skeevy420 (#79) - correct
                Volta (#82) - incorrect
                Danielsan (#83) - incorrect
                sinepgib (#88) - mostly correct (but missing several issues)
                Luke (#91) - mostly incorrect (depending on exact definition of a "computer")
                kreijack (#93) - correct (excellent, hits all the major points)
                Luke (#115) - incorrect
                Luke (#116) - correct
                F.Ultra (#120) - mostly correct
                F.Ultra (#122) - mostly incorrect
                F.Ultra (#131) - correct
                F.Ultra (#132) - mostly correct
                Old Grouch (#136) - mostly incorrect
                Old Grouch (#139) - showing signs of not realizing own ignorance
                F.Ultra (#151) - confused answer
                ll1025 (#153) - part correct, part incorrect
                ll1025 (#175) - incorrect (misrepresentation of well known facts)​