On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger c-d.hailfinger.devel.2006@gmx.net wrote:
On 06.03.2010 19:52, ron minnich wrote:
It would be nice, if a flashrom is in there, to also have some sort of security too I think.
Something that is not as easily compromised as the stuff that's out there now, which relies on security through obscurity.
Is it even possible?
Well, I implemented signature checking for coreboot (so that only signed payloads would be executed).
The big question is: Do you want to protect against
- someone with full hardware access (developer),
- someone sitting in front of the machine but without hardware access
(computer pool), 3. against evil malware (including rootkits)? I'd say the first category is pointless with current x86 hardware.
I agree completely.
Second category should be easily achieved by requiring a signed boot image for a non-lockdown boot. A default boot would be with locked down flash, and only a special kernel/payload/bootable-file-on-disk would be able to reflash. Needs chipset cooperation and/or one-shot GPIOs. Third category would allow the user to select an unlocked boot. Locked boot would be default, and the setting would not be stored anywhere to avoid circumvention.
3 is the biggest concern. For me, anyway. (2) is close however.
At least one modern flash chip ignores the write protect pin for some erase commands. A jumper won't help here.
WHO designs this stuff? it would be nice to have a blacklist for such poor designs.
Chipset lockdown can be circumvented as well. If you really want a rootkit-resistant protection, you need two flash chips and some additional circuitry.
(I once worked as an infosec penetration tester, and it shows. I don't believe in magic, nor do I believe in correct operation of any chip under non-standard conditions.)
I'm glad you're on OUR side :-)
ron