On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger <[email protected]> wrote: > On 06.03.2010 19:52, ron minnich wrote: >> It would be nice, if a flashrom is in there, to also have some sort of >> security too I think. >> >> Something that is not as easily compromised as the stuff that's out >> there now, which relies on security through obscurity. >> >> Is it even possible? >> > > Well, I implemented signature checking for coreboot (so that only signed > payloads would be executed). > > The big question is: Do you want to protect against > 1. someone with full hardware access (developer), > 2. someone sitting in front of the machine but without hardware access > (computer pool), > 3. against evil malware (including rootkits)? > I'd say the first category is pointless with current x86 hardware.
I agree completely. > Second category should be easily achieved by requiring a signed boot > image for a non-lockdown boot. A default boot would be with locked down > flash, and only a special kernel/payload/bootable-file-on-disk would be > able to reflash. Needs chipset cooperation and/or one-shot GPIOs. > Third category would allow the user to select an unlocked boot. Locked > boot would be default, and the setting would not be stored anywhere to > avoid circumvention. 3 is the biggest concern. For me, anyway. (2) is close however. > At least one modern flash chip ignores the write protect pin for some > erase commands. A jumper won't help here. WHO designs this stuff? it would be nice to have a blacklist for such poor designs. >Chipset lockdown can be > circumvented as well. If you really want a rootkit-resistant protection, > you need two flash chips and some additional circuitry. > > (I once worked as an infosec penetration tester, and it shows. I don't > believe in magic, nor do I believe in correct operation of any chip > under non-standard conditions.) I'm glad you're on OUR side :-) ron -- coreboot mailing list: [email protected] http://www.coreboot.org/mailman/listinfo/coreboot
