[coreboot] some interesting quotes

Stefan Reinauer stepan at coresystems.de
Thu Jul 31 15:47:11 CEST 2008

ron minnich wrote:
> you may or may not have seen them
> http://eecue.com/log_archive/eecue-log-724-Black_Hat_2007___Day_2___John_Heasman.html
> "There are many ways to get code into the EFI environment. An attacker
> can modify the bootlader directly, modify bootloader varibles in
> NVRAM, modify and reflash firmware or exploit an implementation flaw
> in the driver. Once the attacher is in, they can shim a boot service,
> modify an ACPI table like in the tradition BIOS attack, load an SMM
> driver, or hook interrup handlers. Modifying the boot loader is
> actually quite simple in Mac OSX as the bootloader binary is located
> in user disk space: /System/Library/CoreSerbvice.boot.efi. This isn't
> very stealthy as you are modifying a file on disk which could easily
> be detected by verifying checksums with an application like tripwire."
Our goal, too, is not being stealthy.

Which is why I was quite surprised that not using the locked away memory
areas for my SMM handler was considered a knock-out criterionfor that
> now we've been trying to get this message across for eitght years now
> and it's good to see people are independently figuring it out.
The one thing that transports our message best, in my opinion, is ports
to new chipsets and ports to new boards.


coresystems GmbH • Brahmsstr. 16 • D-79104 Freiburg i. Br.
      Tel.: +49 761 7668825 • Fax: +49 761 7664613
Email: info at coresystems.dehttp://www.coresystems.de/
Registergericht: Amtsgericht Freiburg • HRB 7656
Geschäftsführer: Stefan Reinauer • Ust-IdNr.: DE245674866

More information about the coreboot mailing list