[coreboot] Is this fake news or not? Bloomberg says China is using a rice-sized chip to hack amazon servers.

Lance Zhao lance.zhao at gmail.com
Thu Oct 4 21:24:16 CEST 2018


Well said about open and auditable,

On Thu, Oct 4, 2018 at 10:53 AM <seclists at boxdan.com> wrote:

> If there are any mailing lists which are more suitable to this discussion,
> please mention them so we may subscribe to them and discuss this there.
>
>
> > David Hendricks <david.hendricks at gmail.com> hat am 4. Oktober 2018 um
> 19:00 geschrieben:
> >
> >
> > On Thu, Oct 4, 2018 at 9:22 AM Patrick Georgi via coreboot <
> > coreboot at coreboot.org> wrote:
> >
> > > But generally speaking: that discussion is rather off topic for this
> > > mailing list.
> > > Please look for some more suitable venue to discuss "people potentially
> > > tampering other people's devices (with no obvious connection to
> coreboot)".
> > >
> >
> > Patrick is right that the Bloomberg article is not particularly
> well-suited
> > for the coreboot mailing list.
> >
> > However, it's still worth pointing out that supply chain attacks are a
> > serious threat. This could be in the form of added hardware (like the
> > Bloomberg article suggests) or it could be in the form of firmware that
> > contains malicious code from any of the many parties involved in creating
> > it.
> >
> > Traditionally, firmware contains modules from the silicon vendor, a
> > software vendor (IBV/ISV) who packages it with their SDK and value-add
> > software, and ODMs/OEMs who make further product-specific additions.
> Modern
> > firmware can easily contain over a million lines (or multiple millions of
> > lines) of code from several parties, and this code runs at the highest
> > privilege level before any OS-based security mechanism comes into play.
> > Anyone in that part of the supply chain can slip in malicious code, and
> the
> > customer usually doesn't have any way of viewing the code or tracing
> where
> > it came from due to its closed nature.
> >
> > That is relevant to coreboot insofar as coreboot has been leading the
> > charge (with varying levels of success) for open and auditable firmware
> on
> > x86 platforms for nearly two decades.
> > --
> > coreboot mailing list: coreboot at coreboot.org
> > https://mail.coreboot.org/mailman/listinfo/coreboot
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20181004/21022d71/attachment.html>


More information about the coreboot mailing list