Hi Coins,
I'm not coreboot, but I'm a part of it, so I will try to answer your question. CCing the coreboot mailing list for more input, as I can only assume that that list was the intended recipient for your email.
It is unproven that Intel deliberately builds in backdoors into their CPUs. However, a lot of their software / hardware designs create a rather large attack surface that could be exploited, if someone puts the right amount of resources on the problem.
This attack surface lives
- in the SOC's converged security management engine (CSME / ME), which in some SKUs enables remote access to the system through builtin network interfaces. The CSME cannot be fully disabled, but some security issues can be mitigated in a good hardware software design i.e. by using the non-enterprise (aka 1.5M SKU) of the ME firmware or by not using the SOC associated network interfaces (questionable) or by disabling as many CSME features as possible. CSME is particularly problematic because it can access main memory, so a remote attack could steal your private keys, rendering your cryptographical secrets useless.
- FSP / BLOBS. Closed source firmware pieces generally have the problem that they are impossible to audit. Even if there are fixed version out in the field, you can not tell from a binary what is fixed or not. Bugs are also impossible to fix, even when known. Imaginable attack scenarios could also be deliberate changes to memory training data which open known but fixed memory controller issues.
Generally coreboot tries to enable the user / developer / systembuilder to address as many of these concerns as possible, but it can not 100% fix them at this point. If you are concerned about your hardware architecture, please study the source code of coreboot and the available open documentation on x86 hardware (of which there is a fair amount) and help us audit our code.
Stefan
* Coins coins@cryptolab.net [190331 18:29]:
Dear Coreboot,
As far as I know, Intel puts proprietary backdoors in any recent CPU they develop.
How does this affect the security of a PC/laptop with coreboot installed when it is using such a processor?
Best regards,
Coins