[coreboot] Intel NIC security

Felix Held felix-coreboot at felixheld.de
Sat Jun 10 18:35:25 CEST 2017

Hi Taiidan!

> Is it worth figuring out how to externally re-flash grey market 
> "intel" nics - or is the onboard NVM flash unable to do anything too 
> terrible? In the newer (the 3 digit i/x series like i350, x540 etc) 
> nics intel has added a "security" flash write protect feature so I 
> imagine their flash stuff isn't as potentially innocent as in the 
> older chips. If so does anyone how to do this?
I only had a look at the i210 NIC and it can have settings like the MAC 
address, an x86 option ROM for network boot, a firmware area (IIRC that 
was ARCompact code) and a segment for some sort of provisioning data in 
the external flash chip:
(section 3.3)

To get code execution on the host, the option ROM would be the easiest 

The network card will probably still work if only the section containing 
the configuration and MAC address is there; it would be interesting if 
you tried that and report back the result. It would also be interesting 
if you can prevent writes to the then unused parts of the flash so that 
the now missing sections can't be added without an external programmer 
(IIRC you need to desolder the flash chip in order to read/write it with 
an external programmer).


More information about the coreboot mailing list