Difference between revisions of "Security"

From coreboot
Jump to: navigation, search
(Updated most wanted security features)
m (Common security features)
(2 intermediate revisions by the same user not shown)
Line 7: Line 7:
 
* Boot password (like BIOS password)
 
* Boot password (like BIOS password)
 
* RAM wiping after each boot
 
* RAM wiping after each boot
* Signature verification - to boot from payload only signing images
+
* Signature verification - option to boot from payload only signed images
 
* Support to encrypted block devices/volumes
 
* Support to encrypted block devices/volumes
  
== RAM wiping ==
+
[[Bayou]] / [[coreinfo]] have "BIOS password"-like feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip.
 +
 
 +
Coreboot can be full-secure solution for your hardware, without this issues, which have "legacy" BIOS:
 +
 
 +
== Current BIOS issues ==
 +
 
 +
=== RAM wiping ===
  
 
* http://citp.princeton.edu/memory/
 
* http://citp.princeton.edu/memory/
 
* [[Coreinfo]] as demo payload for coreboot, [http://www.coreboot.org/images/3/3d/Coreinfo_ramdump.jpg showing your RAM contents after a cold boot].
 
* [[Coreinfo]] as demo payload for coreboot, [http://www.coreboot.org/images/3/3d/Coreinfo_ramdump.jpg showing your RAM contents after a cold boot].
  
== SMI issues ==
+
=== SMI issues ===
  
 
* http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf
 
* http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf
 
* http://tracker.coreboot.org/trac/coreboot/ticket/42
 
* http://tracker.coreboot.org/trac/coreboot/ticket/42
  
== ATA issues ==
+
=== ATA issues ===
  
 
* http://coreboot.org/pipermail/coreboot/2005-May/011686.html
 
* http://coreboot.org/pipermail/coreboot/2005-May/011686.html
 
* http://www.heise.de/ct/english/05/08/172/
 
* http://www.heise.de/ct/english/05/08/172/
  
== BIOS password feature ==
+
=== Firewire issues ===
 
+
* [[Bayou]] / [[coreinfo]] based "BIOS password" feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip.
+
 
+
== Firewire issues ==
+
  
 
* http://md.hudora.de/presentations/firewire/
 
* http://md.hudora.de/presentations/firewire/
 
* http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
 
* http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation
  
== TPM issues ==
+
=== TPM issues ===
  
 
* http://tracker.coreboot.org/trac/coreboot/ticket/49
 
* http://tracker.coreboot.org/trac/coreboot/ticket/49

Revision as of 15:22, 15 May 2010

This page explains how coreboot can help with various security aspects of your system, compared to closed-source, legacy BIOS/EFI/firmware implementations.

This page is work in progress!

Common security features

  • Boot password (like BIOS password)
  • RAM wiping after each boot
  • Signature verification - option to boot from payload only signed images
  • Support to encrypted block devices/volumes

Bayou / coreinfo have "BIOS password"-like feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip.

Coreboot can be full-secure solution for your hardware, without this issues, which have "legacy" BIOS:

Current BIOS issues

RAM wiping

SMI issues

ATA issues

Firewire issues

TPM issues