On Fri, 23 Sep 2011, Craig Sanders <cas@taz.net.au> wrote:

On Thu, Sep 22, 2011 at 08:52:35PM -0700, Daniel Pittman wrote:

...

So, the biggest advantage is that it does work against all those attacks that compromise the kernel and/or drivers to get into the kernel after a restart. Which, indeed, is where many of the "root kit" tools hit, on Windows.

so the "solution" is to prevent installation of competing operating systems that don't have the security flaws that allow malware to compromise the kernel? or the BIOS.

wonderful. makes perfect sense.

If you ran a corporate IT department and had a set of Linux laptops then it would be handy to be able to lock them down to prevent them from being used for gaming, pr0n, etc. A BIOS that could be locked to a GPG key to only load a signed kernel and initrd could be a first stage towards a locked down system. Like many technologies this can be used for good or evil. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/