On 2020-03-07, Rich Freeman <[email protected]> wrote: > In this case we're talking about a TPM where a threat model > is an attacker with physical access that is trying to play games with > the busses/etc, and as such it is important that it initialize using > code in ROM that is known-good.
Note that the person behind the attack doesn't need physical access. If an attacker can shove malicious firmware into something like a PCI card with DMA bus-master capabilities, then on power-up that card can carry out the attack. However, getting the firmware into the PCI card would probably require root privledges, so there would need to be a pre-existing privledge-elevation vulnerability. I think. :) -- Grant
