[coreboot] Re: Question how to write protect flash

Sat, 20 Jul 2019 07:31:02 -0700 

On 16/07/2019 00:45, Public Email Account via coreboot wrote:



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, July 15, 2019 1:45 PM, Trammell Hudson <[email protected]> wrote:


There are several ways to lock the flash. Two are "permanent":


This is what I'm worried about. I dont want to break anything by preventing any 
future flashing. I just want to prevent internal flashing.



Trammell knows his stuff in this regard. I did a lot of work on the x220 
as my threat model contained the presumption that an actor would persist 
via firmware where possible. This led me to Trammels heads firmware work 
(which, if your threat model is talking about firmware read only, I 
suggest you check out heads as its going to go that extra mile for you). 
I believe that the meaning of "permanent" here does not mean the chip is 
never usable again. Its "permanent" in the fact that only someone with 
physical access could get around it. Use IFDtool to lock the image down, 
flash it and ground the WP pin. nothing should be able to write to it then.



Something that is overlooked is, even when neutered, no one really knows 
if ME has write access to flash stuff. It shouldnt be a problem with WP 
grounded - but I do go a little bit further and use a hex editor to zero 
out the VSCC table in the firmware before flashing. The ME, or whats 
left of it, then has no idea which chip its working with and the intel 
docs imply ME will not communicate with chip. Folks testing show it also 
causes ME to not come up either.. 
https://github.com/corna/me_cleaner/issues/80






     In any event, the x220 does not have Bootguard, so a proximate attacker 
could rewrite the flash chip contents with an external programmer regardless of 
these protections. Hopefully that is compatible with your threat model.


This does not matter. I have physical tamper detection on the computer. So even 
if someone did use an external flasher I would detect it.

Peronsally I use warranty seals with long unique serial numbers, to make 
the physical side tamper evident. Cheap and easy.

_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to