Dear Stefan, Alex,
Thank you for your response and information provided.
Indeed open source BIOS would not be less secure than proprietary BIOS,
even quite the opposite is what I would expect.
Basically what I am wondering is, are there any security benefits from
using older generation (perhaps 3rd gen) Intel CPUs rather than newer
hardware?
Currently I am using old hardware but I do miss having the latest
performance capabilities at disposal.
Any thoughts on this?
Kind regards,
Coins
On 4/2/19 5:03 AM, Alex Feinman wrote:
To add to this - in my opinion there is no reason to believe that Coreboot is
less secure than a proprietary BIOS built on top of the code distributed by
Intel to established BIOS vendors (AMI, Phoenix/Award etc). The FSPs are also
built out of that same code and because Coreboot is open-source, it at least
can be audited. As Stefan points out CSME/ME is the main source of worry for
security-conscious, and from this standpoint there is no difference between
coreboot and the proprietary BIOS.
Best regards
Alex
________________________________________
From: Stefan Reinauer <[email protected]>
Sent: Monday, April 1, 2019 5:53 PM
To: Coins
Cc: [email protected]
Subject: [coreboot] Re: Question regarding 7th generation Intel CPUs
Hi Coins,
I'm not coreboot, but I'm a part of it, so I will try to answer your
question. CCing the coreboot mailing list for more input, as I can only
assume that that list was the intended recipient for your email.
It is unproven that Intel deliberately builds in backdoors into their
CPUs. However, a lot of their software / hardware designs create a
rather large attack surface that could be exploited, if someone puts the
right amount of resources on the problem.
This attack surface lives
- in the SOC's converged security management engine (CSME / ME), which
in some SKUs enables remote access to the system through builtin
network interfaces. The CSME cannot be fully disabled, but some
security issues can be mitigated in a good hardware software design
i.e. by using the non-enterprise (aka 1.5M SKU) of the ME firmware or
by not using the SOC associated network interfaces (questionable) or
by disabling as many CSME features as possible.
CSME is particularly problematic because it can access main memory, so
a remote attack could steal your private keys, rendering your
cryptographical secrets useless.
- FSP / BLOBS. Closed source firmware pieces generally have the problem
that they are impossible to audit. Even if there are fixed version out
in the field, you can not tell from a binary what is fixed or not.
Bugs are also impossible to fix, even when known. Imaginable attack
scenarios could also be deliberate changes to memory training data
which open known but fixed memory controller issues.
Generally coreboot tries to enable the user / developer / systembuilder
to address as many of these concerns as possible, but it can not 100%
fix them at this point. If you are concerned about your hardware
architecture, please study the source code of coreboot and the available
open documentation on x86 hardware (of which there is a fair amount) and
help us audit our code.
Stefan
* Coins <[email protected]> [190331 18:29]:
Dear Coreboot,
As far as I know, Intel puts proprietary backdoors in any recent CPU they
develop.
How does this affect the security of a PC/laptop with coreboot installed
when it is using such a processor?
Best regards,
Coins
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
