On 17.02.19 02:35, Frank Beuth wrote:
On Sat, Feb 16, 2019 at 06:00:26PM +0100, Nico Huber wrote:
Generally, what locking options you have depend much on your hardware. Hence, there is no generic solution in coreboot. Plus, coreboot is more a firmware framework than a firmware. It can only "boot" programs from flash and not your OS from disk. So you need a coreboot "payload" to do the latter and sometimes it's up to that payload to do such locking.
I see, so this question would be more properly directed at the SeaBIOS list?
What, why? Did you just say "SeaBIOS" because I said "sometimes ... payload"?
SeaBIOS is a very generic payload, trying not to be board specific. And I just said it depends on the hardware. Also, all generic, one-fits-all- scenarios solutions for flash locking that I've heard about failed (ex- ploits, exploits, exploits).
Before you ask somebody to implement a lock, you should ask yourself why. "Somebody said malware can overwrite x" isn't a good reason. We allow malware to overwrite our on-disk boot loader, we allow malware to overwrite our kernel; nobody cares / it depends on the way we use our software. We are used to rely on some firmware lock because their vendors gave us no other means to feel secure. But coreboot can give us other means, because it is no black box. For instance, one can just reflash coreboot when they feel compromised, like we reinstall our OS in case.
When you are sure that you want a lock, you still have to decide what kind of lock. And that depends on what you actually want to protect against (e.g. online attack by a compromised OS) and how much flexi- bility you are willing to sacrifice (e.g. online firmware updates).
Nico