On 1/11/16, Blibbet <blibbet@gmail.com> wrote:
... Yes, I *really* wish there were more AMD64/ARM32/ARM64 experts, most seem to focus on x86/x64. Even at AMD and ARM.
have you played with USB Armory yet? it's my new favorite ARM platform. https://github.com/inversepath/usbarmory
If Linaro finishes porting LUV-live (including BITS, CHIPSEC, FWTS) from Intel to AArch64, CHIPSEC will run on ARM, and the UEFI tests will work, but there won't be any new ARM64-centric security tests, as the few dozen Intel-centric ones won't apply to ARM boxes. We need some arch-centric security experts to create a list of security tests, like Intel ATR team does with chipsec_main security modules.
the joy of ARM is avoiding all the usual platform UEFI, CHIPSEC, etc! the parts of ARM which i enjoy more are the secure boot with signed boot images. of course, if you're not a developer this is less compelling. this all uses TrustZone and fuse memory, under the hood: http://genode.org/documentation/articles/usb_armory https://github.com/inversepath/usbarmory/tree/master/software/secure_boot
One interesting thing about AMD64 is -- *I think* -- that some boards have blob-free options in the coreboot tree, not relying on AGESA binaries.
if you find any, let me know! i don't believe they exist. also, BIOS security on AMD may be even worse than Intel. use an external SPI flash programmer, not a built in one, in that case.
That is something, for the blob-concerned community. Fewer blobs than Intel FSP. Unclear which models, and which branches of the coreboot tree to look at, and if any of those models have modern supplies of hardware, or are ancient.
those blob concerned are going to be increasingly disappointed into the future. on the other hand, for those with heirloom device funds, check out Librem: https://www.crowdsupply.com/purism/librem-13
There *are* blob-free ports of Libreboot to modern ARM boxes, some Chromebooks. And Olimex is apparently working on an ARM64 open source chip, and laptop, that might be interesting.
you're aware of Novena, too? :) https://www.crowdsupply.com/sutajio-kosagi/novena
Also, the SeaBIOS project is adding TPM and other security features in recently, it'll be interesting to see that BIOS added to some Libreboot and other systems, for security + configurability, not just the latter.
indeed!
Hopefully 2016 will get some OEM to bring us a Stateless x86 Laptop, and a RISC-V-based laptop. And more Novenas.
i'm playing with stateless lenovo via USB Armory as OS fill via USB. not quite what you're asking, but might be a nice stop-gap for those seeking better boot authenticity... best regards,