On Sun, Nov 3, 2013 at 11:47 AM, Alex mr.nuke.me@gmail.com wrote:
On 11/02/2013 01:57 PM, ron minnich wrote:
[...] If you really want a system you
can trust a bit more, get a Chromebook. The amount of work done in Chromebooks to protect it is extensive and extends beyond the 386 firmware to the ME and the EC and even aspects of the IO devices.
I'm sorry Ron, but you're just asking me to take your word for it. I
can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
Not true on the ARM Chromebook products. And just 'cuz the system agent blob on Intel systems is a real porker doesn't diminish the role of free software running underneath the sheets. At least with Coreboot you still get insight into the code flow, SMM handlers, how devices are set up and what they're allowed to load, etc. Plus the things that *aren't* there like potentially exploitable runtime module loading and runtime services.
Anyway, if you can find more open Intel-based systems* I'd like to see 'em.
*Before anyone suggests Minnowboard, don't. The pile of restrictively-licensed binary blobs necessary to boot those things rules them out.