Security

From coreboot
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

The wiki is being retired!

Documentation is now handled by the same processes we use for code: Add something to the Documentation/ directory in the coreboot repo, and it will be rendered to https://doc.coreboot.org/. Contributions welcome!

This page explains how coreboot can help with various security aspects of your system, compared to closed-source, legacy BIOS/EFI/firmware implementations.

This page is work in progress!

Common security features

  • Boot password (like BIOS password)
  • Signature verification - option to boot from payload only signed images

Bayou / coreinfo / GRUB2 have "BIOS password"-like feature, using SHA-1 hashes stored in NVRAM or the (flash) ROM chip. GRUB2 can also do signature verification of on-disk operating systems. All such features are in the payload domain since coreboot doesn't provide a user interface. TianoCore could probably be adapted to support either, too.

  • RAM wiping after each boot

Not very useful: The most interesting time would be right before power-off, which could be implemented in SMM. Unfortunately a cautious attacker just pulls the plug.

  • Support booting from encrypted block devices/volumes

GRUB2 can do that.

Current BIOS issues

RAM wiping

SMI issues

ATA issues

Firewire issues

TPM issues