Am 10.07.2012 00:38, schrieb Graham Cunnington:
> The above is incomprehensible to most users who are not developers.
> Why not just say:
> "You can password-protect Grub. This will secure it against malware
> and anybody taking over your computer."
This is in no way comparable to Secure Boot or TPM measure in general. A
password just prevents THIS instance of grub and THIS grub configuration
from being used to boot systems in an unintended manner by unauthorized
individuals. It can be easily circumvented by e.g. booting from a CDROM
or USB drive (hardware access is the key here). Password-based menus are
inherently insecure when used with physical access. It's commonly
described as security by obscurity. Just locking the one most obvious
entry in a secure manner doesn't make the whole building safe if there
are other slightly hidden, unlocked entries. Security AND obscurity
combined can offer additional security (e.g. all doors locked and hidden).
Furthermore password-based menus don't prevent that installation of grub
to be replaced by a malicious modified instance of grub which could e.g.
log your password and could load a maliciously modified kernel. That's
because unlike other measure like Secure Boot it does not verify the
code executed. Instead you're just trusting the code to correctly verify
the password and it does not even check the kernel. To be protected
against malicious code there needs to be a secure component that checks
every code executed by the computer at any point for trustworthiness.
That's simply put and sort of an optimal scenario. In reality you won't
be able to check more than a sensible selection for administrative
reasons (except for clearly defined use cases like some embedded
devices) and it's somewhat more complicated.
So we have two completely different use cases here:
- passwords: verification of the user i.e. the human individual trying
to use that bootloader instance (not anything else), could be
ineffective with malicious code which is not checked here
- TPM or Secure Boot: verification of the actual code executed i.e. no
malicious software is executed if everything is verified (practically
impossible) and if nobody is able to get his malicious code trusted due
to human or administrative mistakes e.g.
AFAIK as with Secure Boot almost nothing is verified the glamorously
advertised, all-encompassing, magic protection is actually a fallacy and
just very limited. If it weren't for the seemingly obvious true concerns
of global companies, it could actually be quite an interesting technology.