[coreboot] we've always known this was possible and hence never bothered to do it but ...

[ron minnich]

On Tue, May 13, 2008 at 4:11 AM, Brendan Trotter <btrotter at gmail.com> wrote:

> Of course this is just a silly side issue. The main reason for my post
> was to highlight your hypocrisy - "Everyone look! Some propretory BIOS
> has an SMM related vulnerability! The world, sooner or later, is going
> to get the message :-)".

gosh, you've missed my point twice now and called me a hypocrite in
the bargain?

I'll try again. Then I'll give up.

An end-user can, if they need to, have a far better chance of
verifying a coreboot-based system than they can have of verifying a
binary-only system, in the same sense that they can have more
confidence in a system based on open source than on binaries. In the
limit, they can build, burn, and flash their own firmware, replacing
that which came from the factory. That's simply not possible with a
binary-only BIOS.

That's not to say that either is perfect. I'll let you consider the
relative difficulty of verifying coreboot source vs. binary firmware
for end-users who probably won't get the source.

Your idea that one would corrupt a single system and sell it on ebay
is just naive, and as you pointed out, it's sily.

Finally, the idea that it is somehow harder to corrupt a binary-only
based firmware system to which one has no source, vs. a binary only
coreboot for which one has source, given the kind of resources that
the bad guys have nowadays, is also quite naive (you should take it as
a given that they *already have* the source to all the BIOSes out
there anyway).

Which leaves me wondering what point you were trying to make in the
first place.

ron