[coreboot] LinuxBIOS/coreboot and security
Corey Osgood
corey.osgood at gmail.com
Wed Jan 30 18:07:55 CET 2008
Ok, I'm not going to get too far into this, because I'm no real security
expert, but:
On Jan 30, 2008 11:40 AM, Philipp Marek <philipp at marek.priv.at> wrote:
> > > - Using some operating system unencrypted - boot from a CD.
> > > - Protect the boot order - reset the CMOS.
> > > - Store important information in the CMOS.
> > Neither is this.
> No, this should illustrate my thoughts ... so you can tell me *where* I'm
> wrong.
>
> > Coreboot will unconditionally launch its payload, so your interest
> should go
> > there.
> That's ok. It's a "normal" OS that has to be started.
>
> > Maybe you are also caught up too much in the conventional boot
> > process;
> That's possible, and that's why I'm asking here!
> I don't know that many ways to boot a machine - use ROM; use a BIOS and
> another medium; and that's it.
>
> Is there some easy solution I don't see?
>
> And just storing everything in ROM is a bit ... costly, and doesn't help
> against *getting* the secrets.
> Using some cheap substitute like flash memory only moves the problem from
> one
> location to another ...
I think what he was trying to say is that if you give coreboot, say, a FILO
payload set up to boot from some medium, with no support for any other
medium, then there's no switch you can throw, short of flashing a new bios
onto the board. You can do the same thing with a linux kernel, use that to
unconditionally kexec to a specific medium, or with large enough flash, you
could store the entire kernel in flash.
-Corey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20080130/125b446f/attachment.html>
More information about the coreboot
mailing list