<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><a rel="nofollow" target="_blank" href="http://www.gigabyte.com.tw/FileList/NewTech/2006_motherboard_newtech/how_does_quad_bios_work_dq6.htm">http://www.gigabyte.com.tw/FileList/NewTech/2006_motherboard_newtech/how_does_quad_bios_work_dq6.htm</a><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: Nathaniel Dube <njdube@gmail.com><br>To: coreboot@coreboot.org; cores@opencores.org<br>Sent: Thursday,
June 12, 2008 2:42:30 PM<br>Subject: [oc] 3 Chip Open BIOS + ESP: Backup/Secure BIOS with Redundancy<br><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>First off, I'm by no means a engineer. This message is going out to real <br>engineers that might have interest in bringing the idea I'm about to share <br>with you to reality. This idea came to me after some light reading about <br>rootkits on wikipedia and playing around with the program "rkhunter". <br><br>Malware designers are writing code that can infect a system via rootkits. <br>I've even read about the possibility of malware that can infect ROM chips on <br>mother boards as well as ROM chips on PCI cards. Meaning, anything that is <br>rewritable isn't safe from malware. Then it dawned on me that most of these <br>security issues could be minimized at the hardware level at preboot, meaning <br>before the operating system loads.<br><br>My brother brought his laptop to me complaning the internet wont work and that <br>it's slow as a whale turd. When I
looked at it I found it swarming with <br>viruses. I asked him what happened to the firewall and antivirus that In <br>installed for him and he said he turned them off because the firewall was <br>messing with his internet and he didn't know how to turn it off with out also <br>turning off the antivirus. I think it was Eset Internet Security. I use <br>Linux on my system so I don't touch Windows software all that often. I've <br>come to the conclusion that it doesn't matter what software you put on there <br>or what you do, stupid users (and most users are stupid) will fsck up there <br>system.<br><br>That's when I decided that mother boards need to be dramatically redesigned <br>from the ground up with a proactive role in security. Now here's where I <br>will start with my wonderful idea that will save the world. You will either <br>see that world with me or you wont.<br><br>I'm sure most of you are aware of the
history of the BIOS and the ROM's <br>they're on. Back in the day they really where ROM in every sense of the term <br>that they where READ only. They where embed on the board so you would need a <br>solder iron to remove them. Then they came out with the removable kind with <br>sockets that you can replace with a new chip. Then comes the kind you can <br>flash with software but are embedded. I'm sorry but impeded un-removeable ROM <br>chips are completely asinine. Now on to my idea.<br><br>Instead of one ROM chip for the BIOS there should be 3 and use "coreboot" as <br>the BIOS. All 3 will utilize sockets to be removeable for easy replacement. <br>The first chip will have the purpose as a backup of the default BIOS and the <br>chip will be read only. The second chip will house a copy of the primary <br>BIOS which will be rewritable and allow for updates. The third chip I will <br>call the ESP
(Emergency Security Protocols) ROM which may or may not be read <br>only, I haven't decided yet. The third chip will have the open source <br>programs rkhunter, clamav and perhaps other programs that might be useful for <br>a preboot.<br><br>In the event the other two are corrupted for what ever reason you need only <br>flip a jumper, turn on the computer and the backup BIOS takes control and <br>allows you to wipe the other two chips and restore a rewritable copy of the <br>BIOS to chip 2 and the ESP BIOS to chip 3. The backup BIOS will also have <br>the Linux program "wipe" so in the unlikeliness a rootkit takes control of <br>chips 2 and 3 chip 1 will wipe it out and start from scratch.<br><br>This board will also have integrated wifi as well as lan making it easy to get <br>a internet connection. The goal being to be able to update the signatures of <br>rkhunter and clamav as well as update both firmware by direct download before
<br>the OS even loads. This entire process will have a liberal use of checksums <br>to make sure at no time is any malware being installed during the preboot <br>process.<br><br>I'm still trying to work out the finer details in my head. So my idea may <br>make sense or it may not. Ultimately what I'm trying to do is build a mother <br>board with BIOS backup/security redundancy. The 3 chips act as a triad that <br>protect one another. The board should be designed so it tries to load the <br>second chip with the rewritable BIOS and use the third chip to do a quick <br>self scan for rootkits. If for some reason the first BIOS wont load it will <br>fall back on the backup BIOS restoring the primary. Perhaps some one can <br>share a better way of implimenting my idea. The goal is to make it damn near <br>impossible for malware to alter or change the BIOS or load at preboot. These <br>security meause could
also be used to protect rewritable ROM on other <br>hardware.<br><br>Please share your thoughts. I would really like to see a board like this see <br>the light of reality.<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2.0.4-svn0 (GNU/Linux)<br><br>iD8DBQFIUMVWvsn/sQCIOqQRAnqwAJ9lYdjiBqnaVArQvHZIcIIaD8A0gQCfSKn1<br>YYOUf33mToJpZ7N/HI6Q7jY=<br>=VeHI<br>-----END PGP SIGNATURE-----<br>_______________________________________________<br><a rel="nofollow" target="_blank" href="http://www.opencores.org/mailman/listinfo/cores">http://www.opencores.org/mailman/listinfo/cores</a><br></div></div></div><br>
</div></div></div><br>
</body></html>