OT: Signed binaries

Michael B. Brutman mbbrutman-cctalk at brutman.com
Sun Jun 25 17:03:16 CDT 2006


Don Y wrote:
> Ah, excellent!  But, is their intent to catch "incorrectness"
> caused by, e.g., hardware failures?  I.e., do they assume they
> are operating in a HOSTILE environment or just an UNFRIENDLY
> one?
> 
> For example, most machine's bootstrap code contains checksums.
> But, you can usually hack those images if you spend a little
> time tweeking the checksum in the process (so the code thinks
> everything is fine).
> 
> OTOH, cryptographic signatures are *designed* to prevent
> (uh, "strongly discourage" :> ) this.
> 
> 

I can't tell you the particulars because I don't know them.  However, 
the OS does sign the binaries to detect tampering, for both security 
reasons and to ensure that IBM gets what IBM thinks is due. ;-)

The bootstrap code on something like an S38/AS400/iSeries is like an 
entire operating system by itself, and I have no idea of what that code 
is protected by, or even what it is running on this week.  (The machine 
uses a 'service processor' for at least part of the self-check and boot.)




More information about the cctech mailing list