On 08/31/2015 04:13 AM, Georgi Guninski wrote:
The document appears to be: https://github.com/lfit/itpol/blob/master/linux-workstation-security.md Linux workstation security checklist
Since the Linux Foundation advise is recommending UEFI and Secure Boot and TPMs, I think they should also recommend running Intel CHIPSEC -- directly or via LUV-live -- for firmware vulnerability analysis, at least on the Intel systems (AMD has no CHIPSEC port). If system was designed vulnerable by vendor, there's little point in bothering with Secure Boot or any OS-level hardening.... https://01.org/linux-uefi-validation/downloads/luv-live-image https://github.com/chipsec/chipsec Guidance should probably enable Verified Boot when running Chrome, perhaps the Verified U-Boot and other secure coreboot/U-Boot implementations. The advise should also mention something about each distro's Secure Boot varies in strength, some allow unsigned kernel drivers to be loaded even if Secure Boot is enabled. http://firmwaresecurity.com/2015/07/17/secure-boot-strength-varies-by-linux-... It should mention virtual firmware security (inside VirtualBox, QEMU, etc), especially after last BlackHat talk: http://firmwaresecurity.com/2015/08/08/689/ There's more to do, taking snapshots of rom, scanning for changes, tracking vendor firmware updates, ensuring system has fresh firmware bits, etc. But it's a nice start.
Troll-friendly appears this claim: UEFI boot mode is used (not legacy BIOS) (CRITICAL) UEFI and SecureBoot
(ask RMS ;-) )
AFAIK, RMS uses an IBM Thinkpad retrofitted with LibreBoot (presumably using SeaBIOS BIOS clone). https://stallman.org/stallman-computing.html I don't think RMS is responsible for LF's IT security policies. :-) If someone has one of these old Thinkpads boxes (sold by "Ministry of Freedom" (formerly trading as Gluglug), please try to run CHIPSEC on it; if it runs, run chipsec_main.py to see if it passes the security tess. I don't expect CHIPSEC will recognize the ancient Intel chipset used by the old IBM Thinkpad. It'd probably take someone to update CHIPSEC to add system data for this old chipsec, in order to make it work. Perhaps Ministry of Freedom has a vested interest? :-) Potential insecurely-built IBM system firmware security aside, I don't think Libreboot nor SeaBIOS offers much in terms of security to stop attackers, as well. U-Boot and coreboot both have PKI-enabled boot flavors that're vaguely like UEFI's Secure Boot, which Ministry of Freedom could be using, to help secure their modern customers.