On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot <
coreboot(a)coreboot.org> wrote:
> But generally speaking: that discussion is rather off topic for this
> mailing list.
> Please look for some more suitable venue to discuss "people potentially
> tampering other people's devices (with no obvious connection to coreboot)".
>
Patrick is right that the Bloomberg article is not particularly well-suited
for the coreboot mailing list.
However, it's still worth pointing out that supply chain attacks are a
serious threat. This could be in the form of added hardware (like the
Bloomberg article suggests) or it could be in the form of firmware that
contains malicious code from any of the many parties involved in creating
it.
Traditionally, firmware contains modules from the silicon vendor, a
software vendor (IBV/ISV) who packages it with their SDK and value-add
software, and ODMs/OEMs who make further product-specific additions. Modern
firmware can easily contain over a million lines (or multiple millions of
lines) of code from several parties, and this code runs at the highest
privilege level before any OS-based security mechanism comes into play.
Anyone in that part of the supply chain can slip in malicious code, and the
customer usually doesn't have any way of viewing the code or tracing where
it came from due to its closed nature.
That is relevant to coreboot insofar as coreboot has been leading the
charge (with varying levels of success) for open and auditable firmware on
x86 platforms for nearly two decades.