[coreboot] LinuxBIOS/coreboot and security

[Philipp Marek]

Hello everybody!

First I have to admit that while I occasionally followed the
progress of LinuxBIOS I don't really know that much about it,
so please forgive me if that discussion is already over and
done with.


My question is this. I'd like to secure machines against the
people that should work with them [1].


In most BIOSes I can set the boot order to "harddisk only".
(coreboot too, right?). That doesn't help if someone has
access to the machine and can reset the CMOS.

Encrypting the harddisk is another way, but if someone installs
a trojan/keylogger or uses

Now my idea was:
- Set the boot order and a BIOS password
- Encrypt the harddisk, (print the key and store it somewhere safe),
  and derive the key from some passphrase (and/or smartcard, etc.)
  *and* CMOS data.

As soon as I get, say, 128bit of entropy there, eg. by the
salted MD5 hash of the BIOS password, it's suddenly a great bit
harder to get into the machine. If the machine has an intrusion
detection, the better; and if the BIOS overwrites the password
as soon as a changed harddisk (by serial number and SHA1 of
bootsector?) is detected, it is a really good solution.

The only possible way to attack that'd be left is on the order
of cutting holes in the case, and using a logic analyser to get
the CMOS values of the motherboards' bus and similar ... and
that is likely to raise questions.


Ad 1: I know that that's impossible to achieve fully, like DRM.
But if there is some easy way to set the bar higher - then why not?


Thank you for all remarks, ideas and answers!
Happy weekend!


Phil