It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
Dont say "if there is physical access to your computer, its game over" this is now true. I have a way to tamper detect if the case was opened.
My question is. How can I make it where coreboot can only be flashed and updated using the external SOIC clip on the bios chip? Without having to worry about permanently locking it down. I want to be able to reflash coreboot and seabios but only using an external flasher when needed. I want to block internal flashing.
How can this be done? I have not found any documentation anywhere on how to do this. The laptop is X220
Thank you
Sent with [ProtonMail](https://protonmail.com) Secure Email.
typo "this is now true." This is NOT true.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, July 14, 2019 9:21 PM, Public Email Account publicthrowawayemail@protonmail.com wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
Dont say "if there is physical access to your computer, its game over" this is now true. I have a way to tamper detect if the case was opened.
My question is. How can I make it where coreboot can only be flashed and updated using the external SOIC clip on the bios chip? Without having to worry about permanently locking it down. I want to be able to reflash coreboot and seabios but only using an external flasher when needed. I want to block internal flashing.
How can this be done? I have not found any documentation anywhere on how to do this. The laptop is X220
Thank you
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Hi,
for the X220, there should be related options in the "Chipset" menu of the coreboot configuration:
"Lock down chipset in coreboot" "Flash locking during chipset lockdown"
On 14.07.19 23:21, Public Email Account via coreboot wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
If this is bad depends on how you deal with your flash chip contents. It seems, you already know that "malware or anything that gets sudo rights" can overwrite the data on your harddrive (e.g. your trusted OS). Your harddrive is usually not write protected either.
So if you scrub your harddrive after you suspect a malware infection, you can also scrub a flash chip in the same case. That firmware needs a different level of protection, is what a proprietary firmware vendor would tell you. Because you have no means at all to trust the firmware and restore it. With open-source firmware, however, you have the free- dom to treat things differently.
Nico
IIRC X220 uses Sandy Bridge. I think there is a flag somewhere in the descriptor where you can lock down your BIOS-region as read-only for the x86 host. I never have tried it but in theory this should lead to errors on every write attempt to the BIOS region therefore disabling write access to the flash from OS/flashrom.
Werner
-----Ursprüngliche Nachricht----- Von: Nico Huber nico.h@gmx.de Gesendet: Montag, 15. Juli 2019 00:18 An: Public Email Account publicthrowawayemail@protonmail.com; coreboot@coreboot.org Betreff: [coreboot] Re: Question how to write protect flash
Hi,
for the X220, there should be related options in the "Chipset" menu of the coreboot configuration:
"Lock down chipset in coreboot" "Flash locking during chipset lockdown"
On 14.07.19 23:21, Public Email Account via coreboot wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
If this is bad depends on how you deal with your flash chip contents. It seems, you already know that "malware or anything that gets sudo rights" can overwrite the data on your harddrive (e.g. your trusted OS). Your harddrive is usually not write protected either.
So if you scrub your harddrive after you suspect a malware infection, you can also scrub a flash chip in the same case. That firmware needs a different level of protection, is what a proprietary firmware vendor would tell you. Because you have no means at all to trust the firmware and restore it. With open-source firmware, however, you have the free- dom to treat things differently.
Nico _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Thank you. I'll check this. But if there are two options, which one should i select? Are these both options different?
And I am aware that malware can infect my OS. I am just worried more about persistence of malware on bios, why I want to write protect.
And would these two options while blocking internal flashing, still allow me to externally flash?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, July 14, 2019 5:17 PM, Nico Huber nico.h@gmx.de wrote:
Hi,
for the X220, there should be related options in the "Chipset" menu of the coreboot configuration:
"Lock down chipset in coreboot" "Flash locking during chipset lockdown"
On 14.07.19 23:21, Public Email Account via coreboot wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
If this is bad depends on how you deal with your flash chip contents. It seems, you already know that "malware or anything that gets sudo rights" can overwrite the data on your harddrive (e.g. your trusted OS). Your harddrive is usually not write protected either.
So if you scrub your harddrive after you suspect a malware infection, you can also scrub a flash chip in the same case. That firmware needs a different level of protection, is what a proprietary firmware vendor would tell you. Because you have no means at all to trust the firmware and restore it. With open-source firmware, however, you have the free- dom to treat things differently.
Nico
-
Nico Huber -
Public Email Account -
werner.zeh@siemens.com