[coreboot] GSoC 2010

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sat Mar 6 20:28:06 CET 2010


On 06.03.2010 19:52, ron minnich wrote:
> It would be nice, if a flashrom is in there, to also have some sort of
> security too I think.
>
> Something that is not as easily compromised as the stuff that's out
> there now, which relies on security through obscurity.
>
> Is it even possible?
>   

Well, I implemented signature checking for coreboot (so that only signed
payloads would be executed).

The big question is: Do you want to protect against
1. someone with full hardware access (developer),
2. someone sitting in front of the machine but without hardware access
(computer pool),
3. against evil malware (including rootkits)?
I'd say the first category is pointless with current x86 hardware.
Second category should be easily achieved by requiring a signed boot
image for a non-lockdown boot. A default boot would be with locked down
flash, and only a special kernel/payload/bootable-file-on-disk would be
able to reflash. Needs chipset cooperation and/or one-shot GPIOs.
Third category would allow the user to select an unlocked boot. Locked
boot would be default, and the setting would not be stored anywhere to
avoid circumvention.


> The only thing I really trust is a jumper, but nobody seems to put
> those in any more. A pity.
>   

At least one modern flash chip ignores the write protect pin for some
erase commands. A jumper won't help here. Chipset lockdown can be
circumvented as well. If you really want a rootkit-resistant protection,
you need two flash chips and some additional circuitry.

(I once worked as an infosec penetration tester, and it shows. I don't
believe in magic, nor do I believe in correct operation of any chip
under non-standard conditions.)

Regards,
Carl-Daniel

-- 
"I do consider assignment statements and pointer variables to be among
computer science's most valuable treasures."
-- Donald E. Knuth





More information about the coreboot mailing list