[Info-vax] Some of what I'm reading...
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Sun May 20 20:19:13 EDT 2018
On 2018-05-20 13:28:01 +0000, IanD said:
> Bit hard for VMS to support the secure key store when it's a function
> of the Apple chip.
The keychain store doesn't require the Apple T2 chip. The keychain
storage uses a set of APIs and AES encryption to maintain and protect
private keys and passwords. Various x86-64 processors do have AES
acceleration too, which is handy.
OpenVMS has no concept of protecting keys and private certificates.
It's all tossed over to the user to deal with. Or to not deal with, as
the case may be. Apache has its own certificate store, and so does the
upstream-deprecated-a-decade-ago CDMA, so does ssh, and so too does
OpenVMS, as do some apps. DECnet has its own password storage, as do
various apps. Etc. Everybody has implemented their own schemes. Some
are better than others.
> Didn't the Vax and Alpha have special parts to them that VMS exploited,
> although not security related.
Sure. Some of which DEC and Compaq and HP/HPE and VSI have
incrementally removed with each port, and variously rolling pieces and
parts into Software Interrupt Services; SWIS. SWIS is the OpenVMS
Hardware Abstraction Layer.
> We are moving to commodity hardware I guess we have to put up with it's
> limitations?
Have a look at the Intel Management Engine (ME) with Trusted Platform
Module (TPM) support that's available in Intel chipsets, for instance.
Not that the Apple keychain storage particularly uses the TPM for
security, either.
Apple T2 replaces various of what Intel ME provides, and adds some
other capabilities.
Related reading:
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf
https://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/
https://en.wikipedia.org/wiki/Trusted_Platform_Module
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list