On 9/28/18 4:18 AM, Sam Kuper wrote:
On 28/09/2018, Peter Stuge peter@stuge.se wrote:
Youness Alaoui wrote:
avoid any malware writing to the flash
Just disallow flash writes by the platform. Allow flash writes only by dedicated hardware (maybe ChromeEC?) which implements a simple and efficient security protocol.
Relevant URL: https://www.chromium.org/chromium-os/ec-development#TOC-Write-Protect
This seems to state the opposite of what Peter suggested, i.e. the host firmware is responsible of validating the EC firmware('s update) and not the other way around. IMHO, a good idea.
Nico
It's not a screw in Chromebooks any more, see vadim's excellent OSFC.io talk on how it works now.
I think the momentary switch would not be acceptable to anyone for cost and reliability reasons. The way chromebooks do the protection now is really well done.
On Sat, Sep 29, 2018 at 8:26 AM Nico Huber nico.h@gmx.de wrote:
On 9/28/18 4:18 AM, Sam Kuper wrote:
On 28/09/2018, Peter Stuge peter@stuge.se wrote:
Youness Alaoui wrote:
avoid any malware writing to the flash
Just disallow flash writes by the platform. Allow flash writes only by dedicated hardware (maybe ChromeEC?) which implements a simple and efficient security protocol.
Relevant URL:
https://www.chromium.org/chromium-os/ec-development#TOC-Write-Protect
This seems to state the opposite of what Peter suggested, i.e. the host firmware is responsible of validating the EC firmware('s update) and not the other way around. IMHO, a good idea.
Nico
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-
Nico Huber -
ron minnich