On 06.03.2010 19:52, ron minnich wrote:
It would be nice, if a flashrom is in there, to also have some sort of security too I think.
Something that is not as easily compromised as the stuff that's out there now, which relies on security through obscurity.
Is it even possible?
Well, I implemented signature checking for coreboot (so that only signed payloads would be executed).
The big question is: Do you want to protect against 1. someone with full hardware access (developer), 2. someone sitting in front of the machine but without hardware access (computer pool), 3. against evil malware (including rootkits)? I'd say the first category is pointless with current x86 hardware. Second category should be easily achieved by requiring a signed boot image for a non-lockdown boot. A default boot would be with locked down flash, and only a special kernel/payload/bootable-file-on-disk would be able to reflash. Needs chipset cooperation and/or one-shot GPIOs. Third category would allow the user to select an unlocked boot. Locked boot would be default, and the setting would not be stored anywhere to avoid circumvention.
The only thing I really trust is a jumper, but nobody seems to put those in any more. A pity.
At least one modern flash chip ignores the write protect pin for some erase commands. A jumper won't help here. Chipset lockdown can be circumvented as well. If you really want a rootkit-resistant protection, you need two flash chips and some additional circuitry.
(I once worked as an infosec penetration tester, and it shows. I don't believe in magic, nor do I believe in correct operation of any chip under non-standard conditions.)
Regards, Carl-Daniel