[coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.

seclists at boxdan.com seclists at boxdan.com
Thu Oct 4 19:51:53 CEST 2018 

If there are any mailing lists which are more suitable to this discussion, please mention them so we may subscribe to them and discuss this there.


> David Hendricks <david.hendricks at gmail.com> hat am 4. Oktober 2018 um 19:00 geschrieben:
> 
> 
> On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot <
> coreboot at coreboot.org> wrote:
> 
> > But generally speaking: that discussion is rather off topic for this
> > mailing list.
> > Please look for some more suitable venue to discuss "people potentially
> > tampering other people's devices (with no obvious connection to coreboot)".
> >
> 
> Patrick is right that the Bloomberg article is not particularly well-suited
> for the coreboot mailing list.
> 
> However, it's still worth pointing out that supply chain attacks are a
> serious threat. This could be in the form of added hardware (like the
> Bloomberg article suggests) or it could be in the form of firmware that
> contains malicious code from any of the many parties involved in creating
> it.
> 
> Traditionally, firmware contains modules from the silicon vendor, a
> software vendor (IBV/ISV) who packages it with their SDK and value-add
> software, and ODMs/OEMs who make further product-specific additions. Modern
> firmware can easily contain over a million lines (or multiple millions of
> lines) of code from several parties, and this code runs at the highest
> privilege level before any OS-based security mechanism comes into play.
> Anyone in that part of the supply chain can slip in malicious code, and the
> customer usually doesn't have any way of viewing the code or tracing where
> it came from due to its closed nature.
> 
> That is relevant to coreboot insofar as coreboot has been leading the
> charge (with varying levels of success) for open and auditable firmware on
> x86 platforms for nearly two decades.
> -- 
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

More information about the coreboot mailing list