Linux Foundation' Linux workstation security checklist

Blibbet blibbet at gmail.com
Tue Sep 1 08:43:25 PDT 2015 


On 08/31/2015 07:33 PM, coderman wrote:
> On 8/31/15, Blibbet <blibbet at gmail.com> wrote:
>> ...
>> Potential insecurely-built IBM system firmware security aside, I don't
>> think Libreboot nor SeaBIOS offers much in terms of security to stop
>> attackers, as well.
>
> building your own BIOS images, signing your own bootstraps, is "not
offer much"?
>
> you're wrong and these are incredibly useful security measures.
>
> of course by no means sufficient by themselves, and you must always
> keep your laptops/devices safe with you, lest they be implanted by
> trivial means with physical access.

I merely meant that BIOS didn't offer new security tech, that newer
firmware tech does. My point was that Verified coreboot is stronger than
Libreboot, and Ministry of Freedom could be using stronger open source
tech in their product than they currently do. Eg, coreboot has Verified
Boot mode, which is roughly like UEFI's Secure Boot, and can help
protect the a blob-free system more than just Libreboot.

Yes, building your own code is great, if you're able to do so. Building
a stock BIOS with no security is great, but a stock BIOS won't stop
attackers. Users should not have to rebuild their refurbished firmware
to make it better, the vendor should offer that.

Fear of blobs is one thing, fear of firmware attacks are another. Blobs
are a great place for malware to hide, so there is an obvious
relationship, but some freedom/privacy-loving users often seem to only
focus on getting rid of blobs, and not pay much attention to the
security of their firmware.  My concern about Purism is that they'll
disable enough security features to reduce the amount of FSP blobs such
that the system is more attractive to attackers than normal PCs.

Having an ancient laptop may help. Attackers may not be able to use
CHIPSEC's HAL, that's the positive side of not being able to use CHIPSEC
to test your defenses. :-) But there are alternatives to CHIPSEC's HAL,
and they're less strict about chipsec support, and will likely work on
old Thinkpads.

Recently someone ported a modern ARM-based Chromebook (ASUS C201, Veyron
Speedy) to use Libreboot, w/o blobs. That's another alternative to old
x86 systems, with different attacks. I'm not sure what's safer, ARM or
x86 these days. x86 BIOS/UEFI attackers are well-documented by
researchers, but ARM-based ones are less so, AFAICT. I'm unclear what's
safer from attackers, an old x86, or a modern ARM or AMD system.
http://firmwaresecurity.com/2015/08/13/libreboot-ported-to-modern-arm-chromebook/

Blob-free and secure, that's my goal. BIOS -- even Libreboot's SeaBIOS
-- is not secure.

Thanks,
Lee
RSS: http://firmwaresecurity.com/feed

More information about the cypherpunks mailing list