Security: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
<div style="color:red">This page is work in progress!</div> | <div style="color:red">This page is work in progress!</div> | ||
== RAM wiping == | == Common security features == | ||
* Boot password (like BIOS password) | |||
* RAM wiping after each boot | |||
* Signature verification - option to boot from payload only signed images | |||
* Support to encrypted block devices/volumes | |||
[[Bayou]] / [[coreinfo]] have "BIOS password"-like feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip. | |||
Coreboot can be full-secure solution for your hardware, without this issues, which have "legacy" BIOS: | |||
== Current BIOS issues == | |||
=== RAM wiping === | |||
* http://citp.princeton.edu/memory/ | * http://citp.princeton.edu/memory/ | ||
* [[Coreinfo]] as demo payload for coreboot, [http://www.coreboot.org/images/3/3d/Coreinfo_ramdump.jpg showing your RAM contents after a cold boot]. | * [[Coreinfo]] as demo payload for coreboot, [http://www.coreboot.org/images/3/3d/Coreinfo_ramdump.jpg showing your RAM contents after a cold boot]. | ||
== SMI issues == | === SMI issues === | ||
* http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf | * http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf | ||
* http://tracker.coreboot.org/trac/coreboot/ticket/42 | * http://tracker.coreboot.org/trac/coreboot/ticket/42 | ||
== ATA issues == | === ATA issues === | ||
* http://coreboot.org/pipermail/coreboot/2005-May/011686.html | * http://coreboot.org/pipermail/coreboot/2005-May/011686.html | ||
* http://www.heise.de/ct/english/05/08/172/ | * http://www.heise.de/ct/english/05/08/172/ | ||
= | === Firewire issues === | ||
== Firewire issues == | |||
* http://md.hudora.de/presentations/firewire/ | * http://md.hudora.de/presentations/firewire/ | ||
* http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation | * http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation | ||
== TPM issues == | === TPM issues === | ||
* http://tracker.coreboot.org/trac/coreboot/ticket/49 | * http://tracker.coreboot.org/trac/coreboot/ticket/49 |
Revision as of 15:22, 15 May 2010
This page explains how coreboot can help with various security aspects of your system, compared to closed-source, legacy BIOS/EFI/firmware implementations.
This page is work in progress!
Common security features
- Boot password (like BIOS password)
- RAM wiping after each boot
- Signature verification - option to boot from payload only signed images
- Support to encrypted block devices/volumes
Bayou / coreinfo have "BIOS password"-like feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip.
Coreboot can be full-secure solution for your hardware, without this issues, which have "legacy" BIOS:
Current BIOS issues
RAM wiping
- http://citp.princeton.edu/memory/
- Coreinfo as demo payload for coreboot, showing your RAM contents after a cold boot.
SMI issues
- http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf
- http://tracker.coreboot.org/trac/coreboot/ticket/42
ATA issues
- http://coreboot.org/pipermail/coreboot/2005-May/011686.html
- http://www.heise.de/ct/english/05/08/172/
Firewire issues
- http://md.hudora.de/presentations/firewire/
- http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation