On Mon, 9 Dec 2019 09:08:35 -0800 Seth Rosenblatt seth@the-parallax.com wrote:
I wasn't able to find the security@ alias, otherwise would've emailed y'all there. I didn't hear back before publication but happy to make any corrections if needed. I'm also willing to include a statement from Coreboot if you want to send one over.
Note that I cannot speak for Coreboot.
Here I want to point out that security is relative to a threat model.
The fact that the boot software (Coreboot, u-boot, etc) can be replaced by users is crucial for freedom.
I wouldn't want to use a computer which boot software is signed in a way that prevent users from replacing it, as that would be an attack on freedom. That attack would also be a security issue as well for me as the device manufacturer is part of my threat model.
I wouldn't feel safe in a jail either.
Denis.