[coreboot] Remote security exploit in all 2008+ Intel platforms

Taiidan at gmx.com Taiidan at gmx.com
Tue May 2 08:49:16 CEST 2017 

On 05/01/2017 10:52 PM, Youness Alaoui wrote:

> On Mon, May 1, 2017 at 7:22 PM, Taiidan at gmx.com <Taiidan at gmx.com> wrote:
>
>> On 05/01/2017 06:44 PM, ron minnich wrote:
>>
>> On Mon, May 1, 2017 at 1:17 PM Rene Shuster <rene.shuster at bcsemail.org>
>>> wrote:
>>>
>>> Yes Puri.sm has been debunked.
>>>> I disagree. I've seen the systems. From what I can see, Puri.sm has made
>>> a
>>> good faith effort to go as far possible *with modern x86 chipsets* toward
>>> getting rid of the blobs. They can't get to 100%, but they're trying to
>>> get
>>> as close as possible.
>>>
>>> ron
>>>
>> Name one thing that they have done themselves?
>>
>> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem
>> _laptop_purism_doesnt_believe_in/ (yeah its leah but shes right about the
>> coreboot community being corrupted)
>>
>> Everything they "do" is someone elses code, and their "coreboot" has zero
>> actual init code it is entirely blobbed.
>>
>> Their marketing is the only thing that is good.
>>
>>
>> --
>> coreboot mailing list: coreboot at coreboot.org
>> https://mail.coreboot.org/mailman/listinfo/coreboot
>>
> Without entering into a flamewar, you're asking "name one thing that they
> have done themselves" and I will answer that.
> Full disclaimer: I am working for Purism, and I have been a paid contractor
> working since last December (part time initially, full time since March) on
> bringing coreboot and the ME-disablement effort to the Librem line of
> laptops (more precisely Librem 13 v1, and now working on the Librem 13 v2
> hardware which is set to be released/shipped next month).
I don't wanna argue this as it never leads anywhere but one more thing 
why haven't you guys set realistic easily attainable goals such as:
FM2 laptop.
KCMA-D8 laptop, with an 35W EE CPU, custom case battery keyboard ETC.
multi-core ARM laptop - see the Gigabyte MP30 for an example of a 
non-mobile, performance ARM system.

Both can easily be brought up to an RYF standard, but as it stands your 
products still don't have even native init - making "coreboot" pointless 
as it is simply a wrapper layer. The only way a new intel/amd laptop is 
going to be "RYF" is if the standard is diluted.

It doesn't matter if you eventually somehow figure out how to run 
unsigned ME code, that is illegal under the DMCA so it can't be sold.

Anything is possible if you throw millions of reverse engineering 
dollars at it, but all that is good for is black hat stuff because the 
moment you release it to the world intel will patch the "security flaw" 
- which brings me back to the realistic goals.

More information about the coreboot mailing list