Originally posted by xfcemint
View Post
You can implement all the chained trust systems you want: an attacker will always have an avenue; perfect security is a myth. If you want perfectly verifiable boot trust, they can break out the logic analyzer and use voltage-based attacks to circumvent the logic, they can decap your secure chips, they can install passive hardware keyloggers....
The statement of the problem (in the posts above) assumes that the user can securely communicate (both send and receive) data to and from the described single-component system.
You reference an "evil maid" attack-- that's literally how it works, they inject a keyboard sniffer to capture your P1 or P2 in order to later retrieve the computer and enter them. Your system does not address this attack at all.
You also gloss right over the core problems:
- How are P1 and P2 updated? Is there access control to prevent an attacker from sniffing your entered P1/2, writing a new P1/P2, and MITMing you via proxy hardware?
- How is IM1 and LKIM1 updated? Is there access control here? Can a live operating system update them? What stops an attacker from updating them?
- How are you protecting these keys on the bus, in RAM, in CPU register, at rest....
- Are you actually implying that IM1 is a photographic image to be used for some sort of verification? Are you aware that techniques exist for imperceptibly but significantly modifying images exist that can defeat vision-based verification?
Comment