On 16/07/2019 00:45, Public Email Account via coreboot wrote:
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, July 15, 2019 1:45 PM, Trammell Hudson hudson@trmm.net wrote:
There are several ways to lock the flash. Two are "permanent":
This is what I'm worried about. I dont want to break anything by preventing any future flashing. I just want to prevent internal flashing.
Trammell knows his stuff in this regard. I did a lot of work on the x220 as my threat model contained the presumption that an actor would persist via firmware where possible. This led me to Trammels heads firmware work (which, if your threat model is talking about firmware read only, I suggest you check out heads as its going to go that extra mile for you). I believe that the meaning of "permanent" here does not mean the chip is never usable again. Its "permanent" in the fact that only someone with physical access could get around it. Use IFDtool to lock the image down, flash it and ground the WP pin. nothing should be able to write to it then.
Something that is overlooked is, even when neutered, no one really knows if ME has write access to flash stuff. It shouldnt be a problem with WP grounded - but I do go a little bit further and use a hex editor to zero out the VSCC table in the firmware before flashing. The ME, or whats left of it, then has no idea which chip its working with and the intel docs imply ME will not communicate with chip. Folks testing show it also causes ME to not come up either.. https://github.com/corna/me_cleaner/issues/80
In any event, the x220 does not have Bootguard, so a proximate attacker could rewrite the flash chip contents with an external programmer regardless of these protections. Hopefully that is compatible with your threat model.This does not matter. I have physical tamper detection on the computer. So even if someone did use an external flasher I would detect it.
Peronsally I use warranty seals with long unique serial numbers, to make the physical side tamper evident. Cheap and easy.
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org