[coreboot] SPI controller and Lock bits

Sam Kuper sam.kuper at uclmail.net
Tue Oct 2 11:53:40 CEST 2018


On 01/10/2018, Youness Alaoui <kakaroto at kakaroto.homelinux.net> wrote:
>> [...] Youness and others at Purism: if you are reading this, please do
>> spec a momentary switch to control flashing on future Librems. Your
>> security-conscious users will thank you for it.
>
> Yes, I already suggested it for the next iteration.

Great!

> It wouldn't be a switch though, but rather a low profile 90-degrees
> jumper on the motherboard.

This seems to imply that each time a Librem user wants to internally
flash the ROM, she would have to:

- power down the laptop(?);
- implement ESD precautions;
- remove the half a dozen or so tiny bottom case screws, without
losing them, and without stripping their heads or threads or threaded
inserts;
- remove the bottom case;
- move a tiny motherboard jumper to "write-enable", without losing it;
- power up the laptop with the bottom case off(?);
- run FlashROM (or equivalent);
- power down the laptop again(?);
- move the tiny motherboard jumper to "write-protect", without losing it;
- push-fit the bottom case correctly;
- insert the half a dozen or so tiny bottom case screws, without
losing them, and without stripping their heads or threads or threaded
inserts;
- power the laptop back up(?).

Surely, having a momentary switch next to the existing kill switches
would be *much* more user-friendly! With such a switch, such a user
would just have to:

- hold the switch down while starting Flashrom (or equivalent);
- release the switch and let the flashing process finish.


> As for your question earlier about someone forgetting it. I would
> assume that it would be easy to have the Heads menu show a big warning
> to the user if it's left unprotected

Your assumption fails against a BadHeads attack.


> Right now, if you boot into linux while ignoring tampering, you get
> your ttys in red, as a huge and very visible warning.

Only in the absence of BadHeads.


> Also, yes Sam, you did understand me perfectly, thanks!

Great! :)



More information about the coreboot mailing list