3b1 security and removal of ua

Craig Johnson vince at tc.fluke.COM
Thu Apr 11 07:38:21 AEST 1991

dt at yenta.alb.nm.us (David B. Thomas) writes:

> As someone else already pointed out, they have to get at the console to
> exploit this hole, and anyone with access to your console can boot it from
> a floppy and do anything they want!!

Following up on an idea posed several weeks ago, I've been thinking
about generating my own boot ROM with some new features added.  For
example, how'd you like the ability to run diagnostics by typing a
secret command at boot up time without having to find and load the
diagnostic disk?  After a few seconds the boot would proceed normally
if no command were entered.  Another thought was to include a secret
command to allow booting from the floppy, thereby preventing anonymous
users from booting off it.  Of course the drawback is that you need to
reprogram the boot ROMs if you want to change the secret commands
and/or passwords and/or update the diagnostics.  But if you need real
security, then maybe that's OK.

What do you think?  I'm not faced with a security problem and don't
need to have floppy boot protection for myself, but if I were
encouraged by enough feedback I'd consider doing it for others.

If anyone else is interested in pursuing this, note that the boot ROM
utilizes only about 4K of 32K available (with 27128's used; 2764's or
27128's can be used) in a 4M address space reserved solely for the
ROM.  s4diag won't fit in the present ROMs but with the addition of 2
more address lines and changing to 27512's it will.  It should be a
quick and easy hardware hack since the 27512 pinout is nearly the same
(28-pin) as the 27128.  I figure I'll still need to strip the .bss
section from s4diag to get it to fit.  Other than that, I was going to
copy s4diag without change to the ROM.  At run time, I was going to
simply copy s4diag to RAM in the same location that the loader normally
would do if it were read in from a floppy and transfer control there.
I will check to see if the loader changes anything in the MMU mapping
and make sure proper initializations are performed if needed prior to
transferring control.

Of course, we could consider putting other things in the boot ROM.  Can
you say "diskless node"?  Hmmm.  I'll leave that to your imagination.

	Craig V. Johnson		...!fluke!vince
	John Fluke Mfg. Co.			or
	Everett, WA			vince at tc.fluke.com

More information about the Comp.sys.3b1 mailing list