[coreboot] LinuxBIOS/coreboot and security

Philipp Marek philipp at marek.priv.at
Mon Jan 28 07:56:53 CET 2008


Hello everybody!

> On Sunday 27 January 2008, Peter Stuge wrote:
>> On Sun, Jan 27, 2008 at 11:32:26PM +0100, Torsten Duwe wrote:
>> > DRM does not work.
>>
>> I think this is because it tries to provide an all-encompassing
>> solution to a generic problem.
>
> No, because it tries to provide a technical solution to a social
> phenomenon
> percieved as a problem.
>
>> "Securing machines against the user" is also very generic. If you can
>> be more specific, Phillip, perhaps we can offer some suggestions.
>
> Yepp. A defense strategy needs an attack scenario first.
I'm fully aware that *every* security can be broken - it's always a
question of how much money/time gets invested (both by the defender, and
the attacker).


The scenario is to protect the system installation against the user.
- Using some operating system unencrypted - boot from a CD.
- Protect the boot order - reset the CMOS.
- Store important information in the CMOS.

That's my thoughts by now.

Of course, you'd need a dead-man switch in the case (that deletes the
CMOS), but that's available in quite some cases - just connect the cable
to the right motherboard position, and you're find (if it's the correct
switch - close/open).

Simply substituting the BIOS with another one won't be so easy.

If it's a notebook, possibly a hardened one, getting to the motherboard
might mean some work - and tripping the intrusion detection.


All I'm asking for is a BIOS password, that gets stored as a salted hash
in a fixed location in the CMOS - then a system installation process can
write some generated value there, and use that for harddisk encryption.

Securing the hardware is necessary, too - but there coreboot won't help me
:-)


Thank you for your answers!


Regards,

Phil





More information about the coreboot mailing list