[coreboot] software hardening research project - request for advices to start

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Fri Nov 1 00:37:36 CET 2013


Hi,

On Mon, 21 Oct 2013 18:14:38 +0200
Laurent Lesage <laurent at 2lconsult.be> wrote:

> 3. is it possible to flash the BIOS without locking the board, i.e.,
> is it always possible to recover a working bios if flashing process
> failed, or experimental BIOS is not working as expected. In that
> sense, are there boards to avoid?
I'm working on that [1][2].
But my approach is to delegate the decision of telling coreboot that
the computer booted fine, to something running after coreboot.
(I'm interested in making it as late as possible, like in the last init
or systemd init scritp/unit).

Else src/lib/fallback_boot.c implements it by telling coreboot that it
booted fine in the ramstage.

Another way would be to do it in the payload, nvramcui[3] can manipulate
the nvram, and it's a payload.

References:
[1]http://review.coreboot.org/#/q/status:open+project:coreboot+branch:master+topic:falback-patches-v2,n,z
[2]http://www.coreboot.org/Fallback_mechanism#New_Howto_.28depends_on_code_that_is_not_yet_merged.29
[3]http://review.coreboot.org/gitweb?p=coreboot.git;a=tree;f=payloads/nvramcui;h=ba7292c4e2fedfbc86a212d3e496f5bdc31ebc6f;hb=HEAD

Denis



More information about the coreboot mailing list