On Tue, May 13, 2008 at 4:11 AM, Brendan Trotter btrotter@gmail.com wrote:
Of course this is just a silly side issue. The main reason for my post was to highlight your hypocrisy - "Everyone look! Some propretory BIOS has an SMM related vulnerability! The world, sooner or later, is going to get the message :-)".
gosh, you've missed my point twice now and called me a hypocrite in the bargain?
I'll try again. Then I'll give up.
An end-user can, if they need to, have a far better chance of verifying a coreboot-based system than they can have of verifying a binary-only system, in the same sense that they can have more confidence in a system based on open source than on binaries. In the limit, they can build, burn, and flash their own firmware, replacing that which came from the factory. That's simply not possible with a binary-only BIOS.
That's not to say that either is perfect. I'll let you consider the relative difficulty of verifying coreboot source vs. binary firmware for end-users who probably won't get the source.
Your idea that one would corrupt a single system and sell it on ebay is just naive, and as you pointed out, it's sily.
Finally, the idea that it is somehow harder to corrupt a binary-only based firmware system to which one has no source, vs. a binary only coreboot for which one has source, given the kind of resources that the bad guys have nowadays, is also quite naive (you should take it as a given that they *already have* the source to all the BIOSes out there anyway).
Which leaves me wondering what point you were trying to make in the first place.
ron