On 10/3/18 12:31 AM, Sam Kuper wrote:
On 02/10/2018, Nico Huber nico.huber@secunet.com wrote:
Am 02.10.18 um 13:48 schrieb Sam Kuper:
On 02/10/2018, Nico Huber nico.huber@secunet.com wrote:
You need to tamper more than just HEADS, otherwise the attestation of the firmware (e.g. via TOTP or a Librem Key) would fail.
That was not my understanding.
See this outline of a putative "BadHeads" attack: https://forums.puri.sm/t/prevent-bios-being-flashed-by-root-level-attacker-w...
Also see Kyle Rankin's apparent confirmation that such attacks succeed (on current Librems): https://forums.puri.sm/t/prevent-bios-being-flashed-by-root-level-attacker-w...
Sorry, I won't have the time to read through all this. In theory, it depends on when the measuring is started. If the measuring starts only late in HEADS (and not in coreboot), you are right. Generally you'd have to tamper the piece of software that starts the measuring.
The putative attack bypasses the measuring. As such, I can't see why it makes any difference whether the measuring starts early (in Coreboot), or late (in Heads). Sorry if I'm misunderstanding something basic.
Sorry, we might talk past each other here. I was talking about type 2. attacks (in your forum post). But if you consider type 1. and can just skip the attestation, you are right, the measuring doesn't matter any more. But there are other means to detect this (e.g. a TPM sealed disk- encryption key; if you can't boot anymore, you'll notice).
About type 2.: To me HEADS is a coreboot payload that runs after core- boot. If the measuring starts in coreboot, you have to tamper coreboot which is "more than just HEADS" (in my terms).
Nico
-
Nico Huber