Announcement

Collapse
No announcement yet.

Thoughts On Intel Boot Guard Impairing Coreboot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Thoughts On Intel Boot Guard Impairing Coreboot

    Phoronix: Thoughts On Intel Boot Guard Impairing Coreboot

    Last week we were first to relay the Coreboot discussion about how Intel Boot Guard in modern PCs is preventing alternative UEFI/BIOS from being used and others have since carried the story too. Matthew Garrett, a name well known to those following UEFI / Secure Boot Linux support, has blogged about his views on Boot Guard...

    http://www.phoronix.com/scan.php?pag...Boot-Guard-MJG

  • #2
    I think that is pretty much the opinion of every informed person on this matter. Very well stated. Hopefully Intel gets the message.

    Comment


    • #3
      I wish that you could buy decent, new motherboards with coreboot support out of the box for home computers. I'd definately buy one when the time came to replace my current motherboard. I suspect that such things won't appear until Linux has better marketshare in home computing, though.

      Comment


      • #4
        "Those who will give up essential liberty to obtain little temporary safey deserve neither liberty, nor safety". Somehow, this statement proves to be so true even many years later.

        Why Intel thinks I'm going to "trust" them and their OEMs just because they used racket-style approach and simply left no other options, declaring my hardware will be dead brick if I try to use alternate firmware? This is racket and treachery, its not trust or security at all. Basically it's like buying house only to figure out previous owner is not willing to give you proper keys at all, so it's really your problem how to break into "your" house. On other hand, someone else carries keys from these doors. Sounds very secure, isn't it?

        Basically, security is all about who carries keys. If you've got locked door and no keys to open it - congrats, you've been JAILED. And now all this security works AGAINST you!

        So welcome to digital concentration camp, version 2.0 - proudly engineered by Intel.
        Last edited by SystemCrasher; 16 February 2015, 08:51 PM.

        Comment


        • #5
          Intel and PC World making false claims on security

          Originally posted by phoronix View Post
          Phoronix: Thoughts On Intel Boot Guard Impairing Coreboot

          Last week we were first to relay the Coreboot discussion about how Intel Boot Guard in modern PCs is preventing alternative UEFI/BIOS from being used and others have since carried the story too. Matthew Garrett, a name well known to those following UEFI / Secure Boot Linux support, has blogged about his views on Boot Guard...

          http://www.phoronix.com/scan.php?pag...Boot-Guard-MJG
          The text from the original PC World story said

          "But that's not all. Someone with physical access to your system could reflash your system. Even if you're paranoid enough that you X-ray your machine after every border crossing and verify that no additional components have been inserted, modified firmware could still be grabbing your disk encryption passphrase and stashing it somewhere for later examination."


          The idea that Boot Guard protects against this is CRAP, surely Intel will provide modified firmware to police agencies to backdoor these machines. If not, the NSA or the courts will simply order them to. Given that presumption I would still regard an encrypted machine that has passed through known enemy hands-especially police or border security-as presumed to contain a keylogger and requiring destruction without booting. Hell they don't even NEED to bypass boot guard, all they need is to lift the keyboard and install a hardware keylogger. Desktops can be protected against this by not using adapters, checking the wiring regularily, and gluing keyboards together. A pattern of glitter in glue on the back as a seal across a joint is said to be cryptographically secure by being impossible to reproduce. Desktops are easier to tamper with, but actually harder to tamper with in a difficult to detect way. The NSA's favorite approach is to replace the keyboard CABLE with one carrying a transmitter, a glued keyboard prevents this.

          A glued down keyboard on a laptop, especially when combined with a seal, is again effective protection against the hardware keylogger. Still, it's for thing like this that border patrol thugs and other goons in badges will have access to tools from Intel to bypass Boot Guard, just as they have tools from Microsoft to read out keys from RAM in a Bitlocker equipped machine they capture running.

          Never, ever take laptops across borders unless you are smuggling both the machine and yourself and have no intention of crossing legally! If "security" ever takes the machine out of sight it must be presumed malicious and destroyed. Same for all other electronics such as phones, cameras, etc. Buy them on the other side, use them there, then send your data as encrypted tarballs over the net and resell all that shit you had to buy before coming home. Keep all electronics on one side only of any checkpoint or border unless prepared to scrap them.

          Comment


          • #6
            Originally posted by Prescience500 View Post
            I wish that you could buy decent, new motherboards with coreboot support out of the box for home computers. I'd definately buy one when the time came to replace my current motherboard. I suspect that such things won't appear until Linux has better marketshare in home computing, though.
            I don't know why no motherboard vendor thinks this is an option. It would take very little effort considering they are already paying huge contracts to American Megatrends or whatever asshole is writing all their proprietary firmware, they could just tell them to instead implement support for the board in coreboot and sod off.

            Fuck, sell it for 20 - 30% more. I'd still buy a coreboot enabled board over one without it. You could be making a lot of money off me!

            Comment


            • #7
              Originally posted by zanny View Post
              I don't know why no motherboard vendor thinks this is an option. It would take very little effort considering they are already paying huge contracts to American Megatrends or whatever asshole is writing all their proprietary firmware, they could just tell them to instead implement support for the board in coreboot and sod off.

              Fuck, sell it for 20 - 30% more. I'd still buy a coreboot enabled board over one without it. You could be making a lot of money off me!
              If they did that, they'd have to prevent the normal UEFI board from being flashed with Coreboot to actually get paid for it, which would cause Phoronix, slashdot, and likely you to yell bloody murder :P

              Comment


              • #8
                Originally posted by zanny View Post
                I don't know why no motherboard vendor thinks this is an option. It would take very little effort considering they are already paying huge contracts to American Megatrends or whatever asshole is writing all their proprietary firmware, they could just tell them to instead implement support for the board in coreboot and sod off.

                Fuck, sell it for 20 - 30% more. I'd still buy a coreboot enabled board over one without it. You could be making a lot of money off me!
                Or motherboard manufacturers could band together and fund Coreboot to write and maintain an implementation that carries Tianocore as the payload. All the coreboot project needs to bring up a board is how to initialise the hardware on it, which the mobo manufacturers can relay to the Coreboot project. Going with Tianocore as the payload makes it an UEFI implementation, so no big surprises in the market there.

                Although this might not be feasible. I have no idea how much retalliation this would provoke in Intel, Microsoft and the BIOS/UEFI manufacturers.

                Comment


                • #9
                  Well said, Matthew. Intel, I want to be able to install coreboot.

                  Comment


                  • #10
                    Mathew always have insightful thoughts.

                    A solution would be to have a pre-firmware firmware that checks the integrity of the firmware.
                    If the firmware can be securely confirmed as authentic and official then it boots that firmware.
                    If the firmware has been tampered with or is third-party then it shows a red screen where the user has to manually confirm he intends to boot the firmware upon every boot.

                    This means the pre-boot firmware would have to initialize the video and USB for the the keyboard.
                    Also a hacked/modified/tampered keyboard could auto-confirm the firmware on boot.

                    Maybe it could be a physical jumper on the motherboard?
                    Then on every boot up it shows a red text saying the system is booting third-party firmware.

                    Maybe it could somehow use keys like UEFI, but I don't know. Since this would be loaded prior to UEFI.

                    Comment

                    Working...
                    X