[coreboot] not really new news ... but ...

FENG Yu Ning fengyuning1984 at gmail.com
Tue Mar 24 05:31:27 CET 2009


ron minnich wrote:
> And they used flashrom, it appears. :-)
Great!

The SPI controllers in ICH7 and up have several security mechanisms to
prevent unauthorized modification of the flash memory. Boards from
intel utilize those mechanisms, but many more boards from other
manufacturers don't.

By gaining security from those mechanisms, one loses freedom. One
mechanism seems to involve public key cryptography. AFAIK, one can
only use the IFlash utility from intel to reflash their BIOS, and I am
not awared of any cross-flash ability of IFlash. Thus, intel boards
are flashrom unfriendly.

That said, I think there is still chance that the cryptographical
security mechanism could be cracked. (I am not good at cryptography,
so expect errors and correct me.) Since IFlash needs to authenticate
itself (to the SMI handler), the process might be:

    SMI handler generates a random number
    SMI handler encrypts that number with the public key.
    SMI handler publish the challenge

    IFlash decrypt that with a private key(!)
    IFlash writes its answer
    IFlash sends a modification request
    SMI handler receives the request
    SMI handler compares the answer with the original number
    confirmed and unlocked

IFlash needs to carry the private key with it.

If that is true and someone implements an attack, the public-key
cryptography security mechanism for the flash memory will be a
joke. If the knowledge is not publicly known, then the security
mechanism becomes a path for the malware and an obstacle for utilities
like flashrom.


yu ning




More information about the coreboot mailing list