[coreboot] LinuxBIOS/coreboot and security
echelon at free.fr
Thu Jan 31 12:11:27 CET 2008
Also keep in mind another important thing: don't federate your opponents.. (and
don't create new ones!)
Don't forget that the first Xbox platform was cracked because people wished to
run Linux on that hardware, it was not the feat of some "warez crackers"..
When people will think that is morally acceptable to circumvent "security
mesures" because these block their legitimate use (or perceived as this..) is
Don't design your solution as a magical "silver bullet" making your platform
universally hacker-proof in any possible situation.
Security is only effective when one carefully integrate it in every critical
component of the system and when all the possible use cases are evaluated. This
implies that the "security perimeter" must be very well defined and understood.
Practically, IMHO this mean that these kind of "platform security mesures" can
work only for very specific "appliances" (in other words designed for a very
specific use, eg "game console", "dvd player", etc..)
Just my 2 (euro-)cents
Quoting Torsten Duwe <duwe at lst.de>:
> On Wednesday 30 January 2008, Corey Osgood wrote:
> > I think what he was trying to say is that if you give coreboot, say, a FILO
> > payload set up to boot from some medium, with no support for any other
> > medium, then there's no switch you can throw, short of flashing a new bios
> > onto the board.
> Exactly. With FILO or grub2 as payload you can enforce the loading of a
> from disk with specified arguments. This will also allow (re-) installation
> after entering a password. This is secure until someone uses a screwdriver
> and opens the case.
> You can use the TPM (if you have one) then. This is secure until someone uses
> a soldering iron.
> You can manufacture your own fully integrated chips with TPMs. These will be
> secure until someone uses the on-chip equivalent of a soldering iron:
> And so on, and so on...
> How much time and money are you willing to spend?
> coreboot mailing list
> coreboot at coreboot.org
More information about the coreboot