Hi,
I'm pretty new to the SeaBIOS codebase. I've noticed a lot of interesting TPM-centric checkins recently.I was wondering if there was any roadmap for current/upcoming SeaBIOS security features. I'd be especially interested in any consumer devices that may have this enhanced BIOS security in their devices (or VMs). I haven't found anything on the topic, any pointers appreciated. I think most consider BIOS still consider to be "insecure", so I'd like to be able to note some BIOS security improvements, and where people can find them and use these features.
Thanks, Lee RSS: http://firmwaresecurity.com/feed
Hi,
On Wed, Jan 06, 2016 at 03:22:24PM -0800, Blibbet wrote:
Hi,
I'm pretty new to the SeaBIOS codebase. I've noticed a lot of interesting TPM-centric checkins recently.I was wondering if there was any roadmap for current/upcoming SeaBIOS security features. I'd be especially interested in any consumer devices that may have this enhanced BIOS security in their devices (or VMs). I haven't found anything on the topic, any pointers appreciated. I think most consider BIOS still consider to be "insecure", so I'd like to be able to note some BIOS security improvements, and where people can find them and use these features.
Thanks, Lee RSS: http://firmwaresecurity.com/feed
As far as a roadmap, I understand there is a plan to add TPM 2.0 support to SeaBIOS.
I'm not aware of any new consumer devices shipping with the support, and I understand that KVM/QEMU have had TPM support for some time already.
Cheers, -Kevin
On 01/12/2016 11:36 AM, Kevin O'Connor wrote: [...]
As far as a roadmap, I understand there is a plan to add TPM 2.0 support to SeaBIOS.
I'm not aware of any new consumer devices shipping with the support, and I understand that KVM/QEMU have had TPM support for some time already.
Cheers, -Kevin
Thanks for the info, mentioned results here, including today's TPMv2 checking news:
http://firmwaresecurity.com/2016/01/15/seabios-gets-tpm2-security/
It sounds like some Chromebooks have SeaBIOS with TPMv1, unclear which OEM devices/models. I'm still interested in a list of other consumer devices with SeaBIOS and additional security, to point to in blog.
I wish SeaBIOS documentation included a table comparing BIOS security features of all modern implementations, bare-metal and virtualized, to compare SeaBIOS's features with other BIOS implementations.
Thanks! Lee http://firmwaresecurity.com/feed
Blibbet wrote:
It sounds like some Chromebooks have SeaBIOS with TPMv1
As far as I know all Chromebooks use their own payload which implements verified boot. The root of trust is the write-protected SPI flash. It is very well documented on the chromium website, you would only have to do very basic research to find it, which makes it very difficult for anyone to take your effort seriously. Please move along.
//Peter
On 01/15/2016 01:14 PM, Peter Stuge wrote:
[...] It is very well documented on the chromium website, you would only have to do very basic research to find it, which makes it very difficult for anyone to take your effort seriously. Please move along.
Yes, I don't own a Chromebook, and I didn't fully research SeaBIOS consumer implementations, sorry. I'm learning SeaBIOS and coreboot, coming from a UEFI background.
Thanks for your patience. :-)
Lee
On Fri, Jan 15, 2016 at 12:38:12PM -0800, Blibbet wrote:
On 01/12/2016 11:36 AM, Kevin O'Connor wrote: [...]
As far as a roadmap, I understand there is a plan to add TPM 2.0 support to SeaBIOS.
I'm not aware of any new consumer devices shipping with the support, and I understand that KVM/QEMU have had TPM support for some time already.
Cheers, -Kevin
Thanks for the info, mentioned results here, including today's TPMv2 checking news:
http://firmwaresecurity.com/2016/01/15/seabios-gets-tpm2-security/
It sounds like some Chromebooks have SeaBIOS with TPMv1, unclear which OEM devices/models. I'm still interested in a list of other consumer devices with SeaBIOS and additional security, to point to in blog.
Google has been big on the TPM devices, so I thought all the chromebooks had them, but I don't know for sure.
I wish SeaBIOS documentation included a table comparing BIOS security features of all modern implementations, bare-metal and virtualized, to compare SeaBIOS's features with other BIOS implementations.
There is a Wikipedia article that compares SeaBIOS to other proprietary BIOS implementations. I don't have direct knowledge on the features of proprietary BIOS, so can't help with a direct comparison.
https://en.wikipedia.org/wiki/BIOS_features_comparison
-Kevin
I wish SeaBIOS documentation included a table comparing BIOS security features of all modern implementations, bare-metal and virtualized, to compare SeaBIOS's features with other BIOS implementations.
There is a Wikipedia article that compares SeaBIOS to other proprietary BIOS implementations. I don't have direct knowledge on the features of proprietary BIOS, so can't help with a direct comparison.
Thanks very much for this pointer, Kevin!
That table seems to be nearly the same as: https://en.wikipedia.org/wiki/BIOS#Vendors_and_products
Maybe there should be row showing SeaBIOS's TPMv1 and new TPMv2 features, with question marks next to the closed-source vendors, as well as mention in the Security section later on.
Maybe rows showing VMM usage of BIOS, where SeaBIOS has more coverage than closed-source options.
And the Alternatives section mentions coreboot, but no mention of SeaBIOS payload version.
The table shows that only SeaBIOS has on Password, the others do. Strange small security feature that SeaBIOS doesn't have.
And strange to see in table that only SeaBIOS has no Setup Screen, yet I seem to have noticed some TPM UI menu changes recent TPMv2 checkin.
And there's no columns for Intel's BIOS reference implementation, or qboot.
And back to my original query for a SeaBIOS security roadmap, I guess the Wikipedia SeaBIOS feature page is best for this, at least it mentions TPM. https://en.wikipedia.org/wiki/SeaBIOS
Thanks again.
-
Blibbet -
Kevin O'Connor -
Peter Stuge