lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.1.10.0811120349370.16188@mtl.rackplans.net>
Date:	Wed, 12 Nov 2008 03:51:17 -0500 (EST)
From:	Gerhard Mack <gmack@...erfire.net>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
cc:	Pavel Machek <pavel@...e.cz>, mathias.schnarrenberger@....de,
	Olaf van der Spek <olafvdspek@...il.com>,
	linux-kernel@...r.kernel.org
Subject: Re: security: delete BIOS password in keyboard buffer during kernel
 bootup

On Tue, 11 Nov 2008, Alan Cox wrote:

> Date: Tue, 11 Nov 2008 16:54:21 +0000
> From: Alan Cox <alan@...rguk.ukuu.org.uk>
> To: Pavel Machek <pavel@...e.cz>
> Cc: mathias.schnarrenberger@....de, Olaf van der Spek <olafvdspek@...il.com>,
>     linux-kernel@...r.kernel.org
> Subject: Re: security: delete BIOS password in keyboard buffer during kernel
>     bootup
> 
> > OTOH we don't call BIOS from linux, so we assume that low 64K is
> > usable memory (unless marked otherwise in memmap, I guess).
> 
> We use the BIOS in some cases for PCI routing, PCI services, APM, and
> indirectly for SMM traps, ACPI and via user space for other stuff. So we
> preserve the bottom 4K for the BIOS 0x40:xx page
> > 
> > Anyway, proper place to do clearing is bootloader; it interacts with
> > bios already, anyway...
> 
> Agreed entirely.

Best place would be for the OEM to fix it.  If it's a security issue it 
shouldn't be overly difficult to embarass them into a fix.

	Gerhard
 
--
Gerhard Mack

gmack@...erfire.net

<>< As a computer I find your faith in technology amusing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ