On 08/31/2015 07:33 PM, coderman wrote:
On 8/31/15, Blibbet <blibbet@gmail.com> wrote:
... Potential insecurely-built IBM system firmware security aside, I don't think Libreboot nor SeaBIOS offers much in terms of security to stop attackers, as well.
building your own BIOS images, signing your own bootstraps, is "not offer much"?
you're wrong and these are incredibly useful security measures.
of course by no means sufficient by themselves, and you must always keep your laptops/devices safe with you, lest they be implanted by trivial means with physical access.
I merely meant that BIOS didn't offer new security tech, that newer firmware tech does. My point was that Verified coreboot is stronger than Libreboot, and Ministry of Freedom could be using stronger open source tech in their product than they currently do. Eg, coreboot has Verified Boot mode, which is roughly like UEFI's Secure Boot, and can help protect the a blob-free system more than just Libreboot. Yes, building your own code is great, if you're able to do so. Building a stock BIOS with no security is great, but a stock BIOS won't stop attackers. Users should not have to rebuild their refurbished firmware to make it better, the vendor should offer that. Fear of blobs is one thing, fear of firmware attacks are another. Blobs are a great place for malware to hide, so there is an obvious relationship, but some freedom/privacy-loving users often seem to only focus on getting rid of blobs, and not pay much attention to the security of their firmware. My concern about Purism is that they'll disable enough security features to reduce the amount of FSP blobs such that the system is more attractive to attackers than normal PCs. Having an ancient laptop may help. Attackers may not be able to use CHIPSEC's HAL, that's the positive side of not being able to use CHIPSEC to test your defenses. :-) But there are alternatives to CHIPSEC's HAL, and they're less strict about chipsec support, and will likely work on old Thinkpads. Recently someone ported a modern ARM-based Chromebook (ASUS C201, Veyron Speedy) to use Libreboot, w/o blobs. That's another alternative to old x86 systems, with different attacks. I'm not sure what's safer, ARM or x86 these days. x86 BIOS/UEFI attackers are well-documented by researchers, but ARM-based ones are less so, AFAICT. I'm unclear what's safer from attackers, an old x86, or a modern ARM or AMD system. http://firmwaresecurity.com/2015/08/13/libreboot-ported-to-modern-arm-chrome... Blob-free and secure, that's my goal. BIOS -- even Libreboot's SeaBIOS -- is not secure. Thanks, Lee RSS: http://firmwaresecurity.com/feed