On 11/02/2013 01:57 PM, ron minnich wrote:
[...] If you really want a system you can trust a bit more, get a Chromebook. The amount of work done in Chromebooks to protect it is extensive and extends beyond the 386 firmware to the ME and the EC and even aspects of the IO devices.
I'm sorry Ron, but you're just asking me to take your word for it. I can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
Alex
On Sun, Nov 3, 2013 at 2:47 PM, Alex mr.nuke.me@gmail.com wrote:
I'm sorry Ron, but you're just asking me to take your word for it. I can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
I can't argue with you on that one.
ron
On Sun, Nov 3, 2013 at 2:47 PM, Alex mr.nuke.me@gmail.com wrote: \
I'm sorry Ron, but you're just asking me to take your word for it. I can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
of course, apropos your comment, do you use - wifi cards - usb sticks - sata disks
because in that case, you'fe a very trusting person :-)
ron
On Sun, Nov 3, 2013 at 11:47 AM, Alex mr.nuke.me@gmail.com wrote:
On 11/02/2013 01:57 PM, ron minnich wrote:
[...] If you really want a system you
can trust a bit more, get a Chromebook. The amount of work done in Chromebooks to protect it is extensive and extends beyond the 386 firmware to the ME and the EC and even aspects of the IO devices.
I'm sorry Ron, but you're just asking me to take your word for it. I
can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
Not true on the ARM Chromebook products. And just 'cuz the system agent blob on Intel systems is a real porker doesn't diminish the role of free software running underneath the sheets. At least with Coreboot you still get insight into the code flow, SMM handlers, how devices are set up and what they're allowed to load, etc. Plus the things that *aren't* there like potentially exploitable runtime module loading and runtime services.
Anyway, if you can find more open Intel-based systems* I'd like to see 'em.
*Before anyone suggests Minnowboard, don't. The pile of restrictively-licensed binary blobs necessary to boot those things rules them out.
On Sun, 03 Nov 2013 13:47:15 -0600 Alex mr.nuke.me@gmail.com wrote:
I'm sorry Ron, but you're just asking me to take your word for it. I can't do that. There's more secret code running on a Chromebook's firmware than there is free code. In fact, I would argue, most code where attack vectors could hide is secret. It's a foul's paradise.
It seem way worse with newer "FSP" blobs...
On qemu, coreboot is not necessary: some coreboot payloads (like seabios) are capable of beeing the full bootstrap firware(because qemu is really simple: most of the complex hardware already works).
Then I really wonder what's left for coreboot in the systems that uses the FSP blob.
If I understood correctly, coreboot would run as hooks, and do some mostly standard stuff that a payload (or coreboot) can do.
Then at the end coreboot would run a payload.
Denis.
* Denis 'GNUtoo' Carikli GNUtoo@no-log.org [131109 00:19]:
On qemu, coreboot is not necessary: some coreboot payloads (like seabios) are capable of beeing the full bootstrap firware(because qemu is really simple: most of the complex hardware already works).
Then I really wonder what's left for coreboot in the systems that uses the FSP blob.
Check out the coreboot source code for Sandybridge/Ivybridge/Haswell systems. It's out there, you can see what's left ;)
Stefan
-
Alex -
David Hendricks -
Denis 'GNUtoo' Carikli -
ron minnich -
Stefan Reinauer