[coreboot] GSoC 2010

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sun Mar 7 01:11:32 CET 2010

On 06.03.2010 23:57, Stefan Reinauer wrote:
> On 3/6/10 8:28 PM, Carl-Daniel Hailfinger wrote:
>> On 06.03.2010 19:52, ron minnich wrote:
>>> It would be nice, if a flashrom is in there, to also have some sort of
>>> security too I think.
>>> Something that is not as easily compromised as the stuff that's out
>>> there now, which relies on security through obscurity.
>>> Is it even possible?
>> Well, I implemented signature checking for coreboot (so that only signed
>> payloads would be executed).
> When coresystems developed our first version of hard crypto signature
> checking for firmware in 2007/2008 we explicitly decided to not check
> the payload but only let the payload check further stages. The reason
> was that if you're able to compromise the flash chip, you're able to
> reprogram coreboot just as well as the payload. Also, we didn't want
> feel comfortable to duplicate the amount of crypto code in the flash,
> and there is no serious mechanism around that protects only the
> bootblock, at least not on commonly used systems.


> So I'm interested to hear your reasons to do this in coreboot itself...
> Is your code publically available somewhere?

Thesis by Rene Reuter:
Basically, I did it for fun, and because Rene was stuck trying to
include OpenSSL in coreboot. I simply coded up a working alternative.
And yes, I agree that checking the payload is pointless if flash
protection is either full-on (not needed) or full-off (attacker can
modify coreboot itself). The only halfway reasonable use case would be
if coreboot is in a write protected part of the flash chip and the
payload is in an unprotected part of the flash chip.


"I do consider assignment statements and pointer variables to be among
computer science's most valuable treasures."
-- Donald E. Knuth

More information about the coreboot mailing list