Dear developers of Coreboot.
I am a student at the University of Bremen, Germany. In our recently started project 'badUSB' our team researches for new ways to detect and prevent attacks through reverse engineered USB devices-firmware (so called 'badusb'). One of our main security targets is to stop boot sector attacks. Therefore we are looking forward to find solutions based on opensource coreboot.
Right now we try to decide on supported hardware and were hoping to get help directly from people who already faced the problem. We saw your vendor list but are especially interested in information about tips for developing. Are there any systems that were easier to build for? Maybe you got suggestions for development environments (virtual maschines you used?) or warnings to beware us from some pitfalls.
With best regards Tobias Wegner
Hi Tobias,
Tobias Wegner wrote:
'badusb' One of our main security targets is to stop boot sector attacks.
Then use a payload which ignores MBR, such as FILO, Linux or GRUB. Almost anything except SeaBIOS.
Given your focus on USB, a Linux payload with custom initramfs is especially interesting. Then you can do this as part of the boot process:
for bus in /sys/bus/usb/devices/usb*; do echo 0 > $bus/authorized_default; done
And of course use standard utilities both to interact with TPM if you like, and to check signatures of follow-up code executed after the initramfs.
//Peter
On Sun, Nov 20, 2016 at 01:08:30AM +0000, Peter Stuge wrote:
[...] Given your focus on USB, a Linux payload with custom initramfs is especially interesting.
Tobias -- I've been working on building a Linux payload with a focus on how to integrate with the TPM and other security research. The scripts for building the initrd and bundling them with coreboot might be useful for you to get started:
-
Peter Stuge -
Tobias Wegner -
Trammell Hudson