On 3/6/10 9:17 PM, ron minnich wrote:
On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger c-d.hailfinger.devel.2006@gmx.net wrote:
On 06.03.2010 19:52, ron minnich wrote:
It would be nice, if a flashrom is in there, to also have some sort of security too I think.
Something that is not as easily compromised as the stuff that's out there now, which relies on security through obscurity.
Is it even possible?
Well, I implemented signature checking for coreboot (so that only signed payloads would be executed).
The big question is: Do you want to protect against
- someone with full hardware access (developer),
- someone sitting in front of the machine but without hardware access
(computer pool), 3. against evil malware (including rootkits)? I'd say the first category is pointless with current x86 hardware.
I agree completely.
Also, the question is what kind of privilege escalation can be caused by a security breach. While you can always solder a new flash chip on an x86 system these days you can still encrypt your data in order to protect (read) access.
3 is the biggest concern. For me, anyway. (2) is close however.
Someone sitting in front of the machine usually does have hardware access, so the differentiation is kind of artificial unless you count the people forgetting to bring soldering irons and screw drivers.
Stefan