Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!mit-eddie!uw-beaver!fluke!vince From: vince@tc.fluke.COM (Craig Johnson) Newsgroups: comp.sys.3b1 Subject: Re: 3b1 security and removal of ua Summary: Add security to boot ROM Keywords: ua security Message-ID: <1991Apr10.213821.3762@tc.fluke.COM> Date: 10 Apr 91 21:38:21 GMT References: <375@unx-pc.UUCP> <927@jonlab.UUCP> <1991Apr10.054606.26116@yenta.alb.nm.us> Organization: John Fluke Mfg. Co., Inc., Everett, WA Lines: 44 dt@yenta.alb.nm.us (David B. Thomas) writes: > As someone else already pointed out, they have to get at the console to > exploit this hole, and anyone with access to your console can boot it from > a floppy and do anything they want!! Following up on an idea posed several weeks ago, I've been thinking about generating my own boot ROM with some new features added. For example, how'd you like the ability to run diagnostics by typing a secret command at boot up time without having to find and load the diagnostic disk? After a few seconds the boot would proceed normally if no command were entered. Another thought was to include a secret command to allow booting from the floppy, thereby preventing anonymous users from booting off it. Of course the drawback is that you need to reprogram the boot ROMs if you want to change the secret commands and/or passwords and/or update the diagnostics. But if you need real security, then maybe that's OK. What do you think? I'm not faced with a security problem and don't need to have floppy boot protection for myself, but if I were encouraged by enough feedback I'd consider doing it for others. If anyone else is interested in pursuing this, note that the boot ROM utilizes only about 4K of 32K available (with 27128's used; 2764's or 27128's can be used) in a 4M address space reserved solely for the ROM. s4diag won't fit in the present ROMs but with the addition of 2 more address lines and changing to 27512's it will. It should be a quick and easy hardware hack since the 27512 pinout is nearly the same (28-pin) as the 27128. I figure I'll still need to strip the .bss section from s4diag to get it to fit. Other than that, I was going to copy s4diag without change to the ROM. At run time, I was going to simply copy s4diag to RAM in the same location that the loader normally would do if it were read in from a floppy and transfer control there. I will check to see if the loader changes anything in the MMU mapping and make sure proper initializations are performed if needed prior to transferring control. Of course, we could consider putting other things in the boot ROM. Can you say "diskless node"? Hmmm. I'll leave that to your imagination. --- Craig V. Johnson ...!fluke!vince John Fluke Mfg. Co. or Everett, WA vince@tc.fluke.com