On Mon, Aug 04, 2014 at 09:15:06PM +1000, cdb wrote:
> On Mon, 4 Aug 2014 06:59:57 -0400, Peter Johansson wrote:
> :: The solution is to implement a proper trust model for USB devices in
> :: your operating system.  This would include the BIOS for devices
> :: accessible through it at boot time
>=20
> I assume this is to some extent what the UEFI and certificates
> alleviate.  The problem here is that it becomes nigh on impossible
> to boot devices from a USB device - that is certainly the case with
> my Medion tablet.
>=20
> The only way I can use a USB stick to boot the device (for recovery
> purposes) is to use W8.1 recovery, to install a certificate, then
> copy the recovery environment wim file over and rename it boot.wim.
>=20
> So this actually becomes an annoyance/hindrance for the user who
> might want security, but not as much security as public/commercial
> bodies may require.

We faced similar challenge at One Laptop Per Child, so we made our own
firmware security implementation and provided the tools for owners to
either disable or make their own signing infrastructure.

On a secured laptop, it won't boot an untrusted USB device, and trust
is established through a signature file.

http://wiki.laptop.org/go/Firmware_security

Despite the availability of these tools, we still get people unable to
boot from USB.  ;-}

However, this doesn't address the keyboard and mouse emulation attack
vector, which can happen once the operating system has booted.

--=20
James Cameron
http://quozl.linux.org.au/
--=20
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.