Hello, i woulnd be aware of any documentation regarding this, except this:
https://coreboot.org/status/kconfig-options.html The option you want to set while configuring coreboot is, depending on your goal: INTEL_CHIPSET_LOCKDOWN and: LOCK_SPI_FLASH_NO_ACCESS Quote from the Documentation: Select this if you want to protect the firmware flash against all further accesses (with the exception of the memory mapped BIOS re- gion which is always readable). The locking will take place during the chipset lockdown, which is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. by the payload or the OS). NOTE: If you trigger the chipset lockdown unconditionally, you won't be able to write to the flash chip using the internal programmer any more. As you can see, depending on how you configure it, imo coreboot is a lot more secure then stock BIOS, not to mention the fact that it is opensource , and you can do a lot of fun stuff with payloads, like 2fa und full disk encryption, which also prevents Evil-Maid attacks at /boot. Personally, i just like the idea of controlling my own devices, the security is a nice added benefit tough.;) I only really go down the security rabbithole with older architectures like Sandy/Ivy bridge, im not convinced its worth the effort with new, fully blobbed architectures personally. Also, keep in mind that if it comes to Evil Maid attacks, the best one can do is take care of the low hanging fruits.There are just so many options, and while you also could prevent reflashing the BIOS-chip externally , i wouldnt be aware of any practical ways of preventing stuff like hardware-keyloggers in your keyboard etc. Of course, one can always glue in all screws, or fill the holes with glitter-glue, so any modifications would be visible. cheers On 1/30/19 4:45 PM, Alexandre Belgrand wrote: > Le mercredi 30 janvier 2019 à 12:38 +0100, Maillist a écrit : >> Only if you configure it that way.Also, even if you do, you wanna >> make >> sure it only accepts updates signed by your personal key. > Interesting. Could you point out the documentation explaining how. > Thanks. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/13e1145b-7c9e-5413-1615-0e0bd9e2902e%40cryptogs.de. For more options, visit https://groups.google.com/d/optout.
