On 06.03.2010 23:57, Stefan Reinauer wrote:
On 3/6/10 8:28 PM, Carl-Daniel Hailfinger wrote:
On 06.03.2010 19:52, ron minnich wrote:
It would be nice, if a flashrom is in there, to also have some sort of security too I think.
Something that is not as easily compromised as the stuff that's out there now, which relies on security through obscurity.
Is it even possible?
Well, I implemented signature checking for coreboot (so that only signed payloads would be executed).
When coresystems developed our first version of hard crypto signature checking for firmware in 2007/2008 we explicitly decided to not check the payload but only let the payload check further stages. The reason was that if you're able to compromise the flash chip, you're able to reprogram coreboot just as well as the payload. Also, we didn't want feel comfortable to duplicate the amount of crypto code in the flash, and there is no serious mechanism around that protects only the bootblock, at least not on commonly used systems.
Indeed.
So I'm interested to hear your reasons to do this in coreboot itself... Is your code publically available somewhere?
Code: http://www.mail-archive.com/coreboot@coreboot.org/msg17372.html Thesis by Rene Reuter: http://sit.sit.fraunhofer.de/smv/publications/downloads/KonzeptTrustedBoot_R... Reasons: Basically, I did it for fun, and because Rene was stuck trying to include OpenSSL in coreboot. I simply coded up a working alternative. And yes, I agree that checking the payload is pointless if flash protection is either full-on (not needed) or full-off (attacker can modify coreboot itself). The only halfway reasonable use case would be if coreboot is in a write protected part of the flash chip and the payload is in an unprotected part of the flash chip.
Regards, Carl-Daniel