Hi! how can I verify the non-execution of option roms? I recently noticed that I had somehow turned that on with one of my latest compiles (without yabel secure mode either)
The idea is that a hostile firmware update could flash a PCI-e card assigned to a VM and then mess with the host after the PC is rebooted (can be solved by using SR-IOV devices, but KGPE-D16/KCMA-D8 lacks SR-IOV support in coreboot despite the chipset supporting ARI)
I realize that I am a nobody and this is very unlikely to happen but OFC I still want max security >:3
Hello Taiidan,
Saturday, November 11, 2017, 12:11:56 AM, you wrote:
Tgc> Hi! how can I verify the non-execution of option roms? I recently Tgc> noticed that I had somehow turned that on with one of my latest compiles Tgc> (without yabel secure mode either)
You can't really prove a negative, so I can only imagine two options:
- remove the possibility to execute oproms from your firmware - make a sentinel oprom which would print a warning/halt the system on execution
-
Igor Skochinsky -
Taiidan@gmx.com