[coreboot] dealing with a malicious OS

Peter Stuge peter at stuge.se
Mon Apr 21 23:23:45 CEST 2008


On Fri, Apr 18, 2008 at 12:07:00PM -0400, Jonathan M. McCune wrote:
> What happens if the BIOS doesn't relinquish control of the EHCI? 

A well-behaved OS will wait.
An ill-behaved OS will try to exploit.


> Does hardware somehow prevent the OS from accessing the USB
> controller? 

Hardware can never know which software (firmware or OS) is accessing
the controller.


> What happens if the OS tries to use the USB controller without
> using these semaphores at all? It seems to me that the OS can at
> least cause a Denial-of-Service by sending commands to the USB
> controller, but I suspect it can also eavesdrop on keyboard events.
> Can anybody confirm or deny this attack?

A malicious OS could poll the controller frequently in order to
eavesdrop on firmware<->hw communication, but the eavesdropping is a
race condition, since firmware and OS probably will not execute in
parallell.

A malicious OS could certainly feed constant junk to a controller in
order to disrupt any firmware use.


The semaphore is only a convenience primitive for use by cooperating
firmware and OS.


> If this is outside the scope of coreboot, I'm sorry for bothering
> the list.

Mh, well maybe just a little. :)


//Peter




More information about the coreboot mailing list