[E] [ironic] Securing physical hosts in hostile environments
fungi at yuggoth.org
Wed Dec 16 18:53:14 UTC 2020
On 2020-12-16 09:33:13 -0800 (-0800), Julia Kreger wrote:
> in the meantime they are performing in-band flashing on upon each
> cleaning in hope to scrub malicious firmware in hopes of squashing
> any malicious user's actions. This is an approach a number of
> operators have publicly stated they've taken, however it requires
> creating your own custom hardware manager to align with the
> hardware you have and the firmware versions you want/expect.
It's also worth reminding everyone this is an incomplete solution.
How do you know the in-band reflashing worked? Because the (possibly
backdoored) firmware says it did, of course! It's certainly not
going to just claim to have reflashed with exactly the bits you
supplied while actually reinjecting its persistent backdoor, right?
Of course, that's ultimately the reason we keep having this
conversation over and over. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the openstack-discuss