Hello Coreboot community,
I'm writing a story on new research by Ilja van Sprundel and Joseph Tartaro demonstrating vulnerabilities in bootloaders, including some in Coreboot. Would love to chat with someone involved in the project - is that possible?
Yes, feel free to send more advanced questions to this list, would be an interesting discussion!
On Thu, Dec 5, 2019 at 11:26 PM Seth Rosenblatt seth@the-parallax.com wrote:
Hello Coreboot community,
I'm writing a story on new research by Ilja van Sprundel and Joseph Tartaro demonstrating vulnerabilities in bootloaders, including some in Coreboot. Would love to chat with someone involved in the project - is that possible?
-- Seth Rosenblatt Editor-in-Chief, The Parallax Phone/Signal/WhatsApp: 415-730-3194 Follow me: Twitter | Facebook | Instagram | LinkedIn | Google+ Follow The Parallax: Twitter | Facebook | Instagram | LinkedIn | Google+ _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
On Sun, Dec 8, 2019 at 12:00 AM Mike Banon mikebdp2@gmail.com wrote:
Yes, feel free to send more advanced questions to this list, would be an interesting discussion!
Looks like the article has already gone out: https://the-parallax.com/2019/12/06/bootloader-security-pacsec/
In any case, if there are undisclosed vulnerabilities or any other urgent security issue that requires an immediate fix then please notify security@coreboot.org (also mentioned on the coreboot.org homepage).
For general inquiries then this mailing list is fine.
I wasn't able to find the security@ alias, otherwise would've emailed y'all there. I didn't hear back before publication but happy to make any corrections if needed. I'm also willing to include a statement from Coreboot if you want to send one over.
On Sun, Dec 8, 2019 at 1:40 PM David Hendricks david.hendricks@gmail.com wrote:
On Sun, Dec 8, 2019 at 12:00 AM Mike Banon mikebdp2@gmail.com wrote:
Yes, feel free to send more advanced questions to this list, would be an interesting discussion!
Looks like the article has already gone out: https://the-parallax.com/2019/12/06/bootloader-security-pacsec/
In any case, if there are undisclosed vulnerabilities or any other urgent security issue that requires an immediate fix then please notify security@coreboot.org (also mentioned on the coreboot.org homepage).
For general inquiries then this mailing list is fine.
Hi Seth,
On Mon, Dec 9, 2019, 19:02 Seth Rosenblatt seth@the-parallax.com wrote:
I wasn't able to find the security@ alias, otherwise would've emailed y'all there. I didn't hear back before publication but happy to make any corrections if needed. I'm also willing to include a statement from Coreboot if you want to send one over.
Note that the word `coreboot` is meant to be written in lowercase, even at the beginning of a sentence. It would be great if this could be amended in the article.
On Sun, Dec 8, 2019 at 1:40 PM David Hendricks david.hendricks@gmail.com
wrote:
On Sun, Dec 8, 2019 at 12:00 AM Mike Banon mikebdp2@gmail.com wrote:
Yes, feel free to send more advanced questions to this list, would be an interesting discussion!
Looks like the article has already gone out: https://the-parallax.com/2019/12/06/bootloader-security-pacsec/
In any case, if there are undisclosed vulnerabilities or any other urgent security issue that requires an immediate fix then please notify security@coreboot.org (also mentioned on the coreboot.org homepage).
For general inquiries then this mailing list is fine.
-- Seth Rosenblatt Editor-in-Chief, The Parallax http://www.the-parallax.com/ Phone/Signal/WhatsApp: 415-730-3194 Follow me: Twitter https://twitter.com/sethr | Facebook https://www.facebook.com/Seth.E.Rosenblatt | Instagram https://instagram.com/sethr/ | LinkedIn https://www.linkedin.com/in/rosenblattseth | Google+ https://plus.google.com/u/0/+SethRosenblatt Follow The Parallax: Twitter https://twitter.com/theparallax | Facebook https://www.facebook.com/TheParallaxNews | Instagram https://instagram.com/parallax/ | LinkedIn https://www.linkedin.com/company/the-parallax | Google+ https://plus.google.com/+theparallax _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Thanks in advance,
Angel
Am Mo., 9. Dez. 2019 um 19:02 Uhr schrieb Seth Rosenblatt < seth@the-parallax.com>:
I wasn't able to find the security@ alias, otherwise would've emailed y'all there. I didn't hear back before publication but happy to make any corrections if needed. I'm also willing to include a statement from Coreboot if you want to send one over.
Sadly there's little content in your article about what claims were made and which parts of these claims applies to coreboot. The figure about the ARM trusted boot flow is copied out of the old paper you linked that makes no mention of coreboot. It seems impossible to find the slides or even a recording of the talks that you covered in the article. Apart from a few tweets and your article, that entire thing might as well not exist, even though the conference was apparently over a month ago.
All that makes it hard to give any clear statement on the subject matter.
Regards, Patrick
On Mon, 9 Dec 2019 09:08:35 -0800 Seth Rosenblatt seth@the-parallax.com wrote:
I wasn't able to find the security@ alias, otherwise would've emailed y'all there. I didn't hear back before publication but happy to make any corrections if needed. I'm also willing to include a statement from Coreboot if you want to send one over.
Note that I cannot speak for Coreboot.
Here I want to point out that security is relative to a threat model.
The fact that the boot software (Coreboot, u-boot, etc) can be replaced by users is crucial for freedom.
I wouldn't want to use a computer which boot software is signed in a way that prevent users from replacing it, as that would be an attack on freedom. That attack would also be a security issue as well for me as the device manufacturer is part of my threat model.
I wouldn't feel safe in a jail either.
Denis.
-
Angel Pons -
David Hendricks -
Denis 'GNUtoo' Carikli -
Mike Banon -
Patrick Georgi -
Seth Rosenblatt