[coreboot] SPI controller and Lock bits

Nico Huber nico.h at gmx.de
Wed Oct 3 11:51:51 CEST 2018

On 10/3/18 12:31 AM, Sam Kuper wrote:
> On 02/10/2018, Nico Huber <nico.huber at secunet.com> wrote:
>> Am 02.10.18 um 13:48 schrieb Sam Kuper:
>>> On 02/10/2018, Nico Huber <nico.huber at secunet.com> wrote:
>>>> You need to tamper more than just HEADS, otherwise the attestation of
>>>> the firmware (e.g. via TOTP or a Librem Key) would fail.
>>> That was not my understanding.
>>> See this outline of a putative "BadHeads" attack:
>>> https://forums.puri.sm/t/prevent-bios-being-flashed-by-root-level-attacker-without-physical-access/3786/3
>>> Also see Kyle Rankin's apparent confirmation that such attacks succeed
>>> (on current Librems):
>>> https://forums.puri.sm/t/prevent-bios-being-flashed-by-root-level-attacker-without-physical-access/3786/4
>> Sorry, I won't have the time to read through all this. In theory, it
>> depends on when the measuring is started. If the measuring starts only
>> late in HEADS (and not in coreboot), you are right. Generally you'd have
>> to tamper the piece of software that starts the measuring.
> The putative attack bypasses the measuring. As such, I can't see why
> it makes any difference whether the measuring starts early (in
> Coreboot), or late (in Heads). Sorry if I'm misunderstanding something
> basic.

Sorry, we might talk past each other here. I was talking about type 2.
attacks (in your forum post). But if you consider type 1. and can just
skip the attestation, you are right, the measuring doesn't matter any
more. But there are other means to detect this (e.g. a TPM sealed disk-
encryption key; if you can't boot anymore, you'll notice).

About type 2.: To me HEADS is a coreboot payload that runs after core-
boot. If the measuring starts in coreboot, you have to tamper coreboot
which is "more than just HEADS" (in my terms).


More information about the coreboot mailing list