[coreboot] some interesting quotes
ron minnich
rminnich at gmail.com
Thu Jul 31 00:59:57 CEST 2008
you may or may not have seen them
http://eecue.com/log_archive/eecue-log-724-Black_Hat_2007___Day_2___John_Heasman.html
"There are many ways to get code into the EFI environment. An attacker
can modify the bootlader directly, modify bootloader varibles in
NVRAM, modify and reflash firmware or exploit an implementation flaw
in the driver. Once the attacher is in, they can shim a boot service,
modify an ACPI table like in the tradition BIOS attack, load an SMM
driver, or hook interrup handlers. Modifying the boot loader is
actually quite simple in Mac OSX as the bootloader binary is located
in user disk space: /System/Library/CoreSerbvice.boot.efi. This isn't
very stealthy as you are modifying a file on disk which could easily
be detected by verifying checksums with an application like tripwire."
now we've been trying to get this message across for eitght years now
and it's good to see people are independently figuring it out.
Here's another part:
"The bottom line is that with the added functionality, EFI offers an
attacker many more options than BIOS for exploitation. The EFI
specification is not very clear with regards to security which will
result in various vendors implementing insecure versions of EFI. In
the future look out for nasty rootkits based on EFI."
thanks
ron
More information about the coreboot
mailing list