[E] [ironic] Securing physical hosts in hostile environments

Jeremy Stanley fungi at yuggoth.org
Wed Dec 16 18:53:14 UTC 2020

On 2020-12-16 09:33:13 -0800 (-0800), Julia Kreger wrote:
> in the meantime they are performing in-band flashing on upon each
> cleaning in hope to scrub malicious firmware in hopes of squashing
> any malicious user's actions. This is an approach a number of
> operators have publicly stated they've taken, however it requires
> creating your own custom hardware manager to align with the
> hardware you have and the firmware versions you want/expect.

It's also worth reminding everyone this is an incomplete solution.
How do you know the in-band reflashing worked? Because the (possibly
backdoored) firmware says it did, of course! It's certainly not
going to just claim to have reflashed with exactly the bits you
supplied while actually reinjecting its persistent backdoor, right?

Of course, that's ultimately the reason we keep having this
conversation over and over. ;)
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201216/e32067d3/attachment.sig>

More information about the openstack-discuss mailing list