[coreboot] GSoC 2010

[ron minnich]

On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger
<c-d.hailfinger.devel.2006 at gmx.net> wrote:
> On 06.03.2010 19:52, ron minnich wrote:
>> It would be nice, if a flashrom is in there, to also have some sort of
>> security too I think.
>>
>> Something that is not as easily compromised as the stuff that's out
>> there now, which relies on security through obscurity.
>>
>> Is it even possible?
>>
>
> Well, I implemented signature checking for coreboot (so that only signed
> payloads would be executed).
>
> The big question is: Do you want to protect against
> 1. someone with full hardware access (developer),
> 2. someone sitting in front of the machine but without hardware access
> (computer pool),
> 3. against evil malware (including rootkits)?
> I'd say the first category is pointless with current x86 hardware.

I agree completely.
> Second category should be easily achieved by requiring a signed boot
> image for a non-lockdown boot. A default boot would be with locked down
> flash, and only a special kernel/payload/bootable-file-on-disk would be
> able to reflash. Needs chipset cooperation and/or one-shot GPIOs.
> Third category would allow the user to select an unlocked boot. Locked
> boot would be default, and the setting would not be stored anywhere to
> avoid circumvention.

3 is the biggest concern. For me, anyway. (2) is close however.


> At least one modern flash chip ignores the write protect pin for some
> erase commands. A jumper won't help here.

WHO designs this stuff? it would be nice to have a blacklist for such
poor designs.

>Chipset lockdown can be
> circumvented as well. If you really want a rootkit-resistant protection,
> you need two flash chips and some additional circuitry.
>
> (I once worked as an infosec penetration tester, and it shows. I don't
> believe in magic, nor do I believe in correct operation of any chip
> under non-standard conditions.)

I'm glad you're on OUR side :-)

ron