If there are any mailing lists which are more suitable to this discussion, please mention them so we may subscribe to them and discuss this there.
David Hendricks david.hendricks@gmail.com hat am 4. Oktober 2018 um 19:00 geschrieben:
On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot < coreboot@coreboot.org> wrote:
But generally speaking: that discussion is rather off topic for this mailing list. Please look for some more suitable venue to discuss "people potentially tampering other people's devices (with no obvious connection to coreboot)".
Patrick is right that the Bloomberg article is not particularly well-suited for the coreboot mailing list.
However, it's still worth pointing out that supply chain attacks are a serious threat. This could be in the form of added hardware (like the Bloomberg article suggests) or it could be in the form of firmware that contains malicious code from any of the many parties involved in creating it.
Traditionally, firmware contains modules from the silicon vendor, a software vendor (IBV/ISV) who packages it with their SDK and value-add software, and ODMs/OEMs who make further product-specific additions. Modern firmware can easily contain over a million lines (or multiple millions of lines) of code from several parties, and this code runs at the highest privilege level before any OS-based security mechanism comes into play. Anyone in that part of the supply chain can slip in malicious code, and the customer usually doesn't have any way of viewing the code or tracing where it came from due to its closed nature.
That is relevant to coreboot insofar as coreboot has been leading the charge (with varying levels of success) for open and auditable firmware on x86 platforms for nearly two decades. -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
Well said about open and auditable,
On Thu, Oct 4, 2018 at 10:53 AM seclists@boxdan.com wrote:
If there are any mailing lists which are more suitable to this discussion, please mention them so we may subscribe to them and discuss this there.
David Hendricks david.hendricks@gmail.com hat am 4. Oktober 2018 um
19:00 geschrieben:
On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot < coreboot@coreboot.org> wrote:
But generally speaking: that discussion is rather off topic for this mailing list. Please look for some more suitable venue to discuss "people potentially tampering other people's devices (with no obvious connection to
coreboot)".
Patrick is right that the Bloomberg article is not particularly
well-suited
for the coreboot mailing list.
However, it's still worth pointing out that supply chain attacks are a serious threat. This could be in the form of added hardware (like the Bloomberg article suggests) or it could be in the form of firmware that contains malicious code from any of the many parties involved in creating it.
Traditionally, firmware contains modules from the silicon vendor, a software vendor (IBV/ISV) who packages it with their SDK and value-add software, and ODMs/OEMs who make further product-specific additions.
Modern
firmware can easily contain over a million lines (or multiple millions of lines) of code from several parties, and this code runs at the highest privilege level before any OS-based security mechanism comes into play. Anyone in that part of the supply chain can slip in malicious code, and
the
customer usually doesn't have any way of viewing the code or tracing
where
it came from due to its closed nature.
That is relevant to coreboot insofar as coreboot has been leading the charge (with varying levels of success) for open and auditable firmware
on
x86 platforms for nearly two decades.
coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot