[coreboot] LinuxBIOS/coreboot and security
duwe at lst.de
Thu Jan 31 11:44:57 CET 2008
On Wednesday 30 January 2008, Corey Osgood wrote:
> I think what he was trying to say is that if you give coreboot, say, a FILO
> payload set up to boot from some medium, with no support for any other
> medium, then there's no switch you can throw, short of flashing a new bios
> onto the board.
Exactly. With FILO or grub2 as payload you can enforce the loading of a kernel
from disk with specified arguments. This will also allow (re-) installation
after entering a password. This is secure until someone uses a screwdriver
and opens the case.
You can use the TPM (if you have one) then. This is secure until someone uses
a soldering iron.
You can manufacture your own fully integrated chips with TPMs. These will be
secure until someone uses the on-chip equivalent of a soldering iron:
And so on, and so on...
How much time and money are you willing to spend?
More information about the coreboot