[coreboot] GSoC 2010
Stefan Reinauer
stepan at coresystems.de
Sun Mar 7 00:02:45 CET 2010
On 3/6/10 9:17 PM, ron minnich wrote:
> On Sat, Mar 6, 2010 at 11:28 AM, Carl-Daniel Hailfinger
> <c-d.hailfinger.devel.2006 at gmx.net> wrote:
>
>> On 06.03.2010 19:52, ron minnich wrote:
>>
>>> It would be nice, if a flashrom is in there, to also have some sort of
>>> security too I think.
>>>
>>> Something that is not as easily compromised as the stuff that's out
>>> there now, which relies on security through obscurity.
>>>
>>> Is it even possible?
>>>
>>>
>> Well, I implemented signature checking for coreboot (so that only signed
>> payloads would be executed).
>>
>> The big question is: Do you want to protect against
>> 1. someone with full hardware access (developer),
>> 2. someone sitting in front of the machine but without hardware access
>> (computer pool),
>> 3. against evil malware (including rootkits)?
>> I'd say the first category is pointless with current x86 hardware.
>>
> I agree completely.
>
Also, the question is what kind of privilege escalation can be caused by
a security breach. While you can always solder a new flash chip on an
x86 system these days you can still encrypt your data in order to
protect (read) access.
> 3 is the biggest concern. For me, anyway. (2) is close however.
>
Someone sitting in front of the machine usually does have hardware
access, so the differentiation is kind of artificial unless you count
the people forgetting to bring soldering irons and screw drivers.
Stefan
More information about the coreboot
mailing list