That'd work, though you'd want to use a cryptographic signature instead of a CRC - it's easy to force a CRC to match. The easiest thing to do would be to have the firmware verify the signature, that way you don't need a second computer to verify your laptop every time you want to boot it. And... you've just reinvented Secure Boot.CRC the /boot partition and make independent system check-verify it, before booting it.
Bootloader exploits are attractive because they are very hard to detect from a booted computer. There is no reason to expect that people using Linux would never be targeted by such attacks.
If you go down this path, you've re-invented the modern virus scanner- only worse, as you probably have to put this in a chip, not on a disk, and come up with a way to safely & securely update it. Definition-based virus scanners are great at detecting current and old viruses, but not near-future, and tomorrow's viruses/etc.
The problem is if you can install any operating system on the machine, you can subvert any operating system on the machine.
But see that's my point... MS does --NOT-- need to worry about whether or not linux can get targeted by such attacks... It isnt their concern at all. Not even a teeny weeny tiny little bit.
EDIT: MS can come up with whatever excuses they want, but they will never be able to come up with enough excuses to give them the right to determine what linux is acceptable to boot from.
Last edited by duby229; 12-28-2012 at 06:56 PM.
THATS NOT OUR PROBLEM!!!
If MS is so worried about their OS, then let them worry about their OS.
EDIT: sometimes you gotta do what you gotta do. The thing about freedom is that you're frre to do whatever you want to do as long as you're not stepping on somebody elses freedoms...
EDIT2: And about subverting an OS... That will always be true. Secureboot is not going change that. MS OSes have been by far the worst offenders. Windows 8 is -not- going to be exception. It will get infected just as badly as the rest of them have. Secureboot wont fix that. The only thing it does is give MS the ability to decide what OSes are acceptable to boot and which ones arent. THAT is NOT their place. What they need to do is ban the worst offenders... But that would fuck themselves.
Last edited by duby229; 12-28-2012 at 07:06 PM.
Second, even if have done that, they only defeated one layer. They can't inject kernel code, only in userspace. And userspace can be CRCed as well - but thats outside even of SecureBoot scope.
It is possible to check by system hardware, if its prone to bugs, which it isn't. So its better to use independent system, connecting only for time of pre-boot checks as RO.
The difference is that my "version" does not require you to "surrender" to me or be executed.
The small attribute is that my "version" was "invented" in 10 seconds of time, and I sure have read about it 2-3 years ago on the network. That means, it is already used in production.
And also, if case anyone with ideas browsing, the whole idea above is Defensive Publication at date/time of original post.
So don't even try.
Last edited by crazycheese; 12-28-2012 at 06:52 PM.