[coreboot] SPI controller and Lock bits

Nico Huber nico.huber at secunet.com
Tue Oct 2 13:51:59 CEST 2018

Am 02.10.18 um 13:01 schrieb Martin Kepplinger:
> Am 26.09.2018 01:30 schrieb Youness Alaoui:
>> Hi,
>> I'm trying to add a way to lock the SPI flash to be read-only via
>> software *after* coreboot boots. The scenario is basically with using
>> Heads, you could authenticate to it (with a yubikey/nitrokey/librem
>> key) then be able to flash a new rom (update your BIOS), but once you
>> boot an OS, Heads would first lock the flash so it can't be written
>> to.
>> This should add some security to avoid any malware writing to the
>> flash, or someone booting into a USB stick and using that to flash a
>> malicious BIOS, but still gives the user the freedom of updating their
>> flash whenever they want to.
> I might be wrong, but since Heads already authenticates to you via TOTP,
> this wouldn't really add extra security, wouldn't it?

This is the most common misunderstanding about a measured boot. If you
don't have separate hardware that starts the measuring (usually you let
the firmware measure itself), you need a firmware part that starts the
measuring and is read-only for an attacker (referred to as read-only or
static `root of trust`). Otherwise you leave the decision what to mea-
sure to the attacker (and he can choose to measure the original software
before his tampering instead of the running program, and TOTP will still
work flawlessly).

So it's the other way around: without this, TOTP doesn't provide any
security at all.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xBD56B4A4138B3CE3.asc
Type: application/pgp-keys
Size: 5227 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20181002/39780b63/attachment.skr>

More information about the coreboot mailing list