Announcement

Collapse
No announcement yet.

Thoughts On Intel Boot Guard Impairing Coreboot

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WorBlux
    replied
    Originally posted by uid313 View Post
    Mathew always have insightful thoughts.

    A solution would be to have a pre-firmware firmware that checks the integrity of the firmware.
    If the firmware can be securely confirmed as authentic and official then it boots that firmware.
    ...
    Maybe it could be a physical jumper on the motherboard?
    ...
    Chromebooks do this already with a two part firmware, the first part resides on read-only flash memory. The problem is even with this, you can't get a secure/verified boot chain with this and boot guard because you can't add new keys into the verified first firmware. At best you can solder/cut closes/open the write protect circuit and use tamper evident seals on the hardware. The only way you could extend the protection of boot guard through to a user on a libre user-compiled stack is not to enable it until it gets to the user. That is the user can choose the install the manufacturer key on first boot, or not enable bootguard and write thier one key onto it later.

    The chances of a mainstream manufacturer doing this though is effectively zero.

    Originally posted by Calinou View Post

    You should by the way consider Libreboot as Coreboot contains proprietary blobs (just like Linux).
    Originally posted by Prescience500 View Post
    I don't want to install coreboot myself because it voids warrenties. I want to use coreboot while keeping my warrenty. Also, every dollar is a vote and that vote only goes toward coreboot if it is preinstalled...preferably by the manufacturer.

    Only the most absolutely sophisticated people would flash their motherboard anyways. Anyway, even if coreboot has binary blobs in it, it would still be an improvement. Once coreboot becomes mainstream and widespread, then we can work on dealing with the blobs. Rome wasn't built in a day and sometimes incremental improvements are the most effective path. Also, you gotta lay the foundations before building the rest of the structure.
    That and modern intel will never be supported by libreboot. The IME (intel management engine), a co-processor running a seperate and proprietary real-time embedded OS that is located on the northbridge chipset and therefore can spy on all of the I/O, and do unmanaged DMA to RAM. It's precisly the same issue you see in mobile phone BLObs where the baseband chip is integrated with the CPU. Our best chance at a reasonable functional secure system with current hardware right now is to finish reverse engineering the Lima driver and using a ARM platform that libreboot supports.





    Leave a comment:


  • Prescience500
    replied
    I don't want to install coreboot myself because it voids warrenties. I want to use coreboot while keeping my warrenty. Also, every dollar is a vote and that vote only goes toward coreboot if it is preinstalled...preferably by the manufacturer.

    Only the most absolutely sophisticated people would flash their motherboard anyways. Anyway, even if coreboot has binary blobs in it, it would still be an improvement. Once coreboot becomes mainstream and widespread, then we can work on dealing with the blobs. Rome wasn't built in a day and sometimes incremental improvements are the most effective path. Also, you gotta lay the foundations before building the rest of the structure.
    Last edited by Prescience500; 18 February 2015, 06:53 PM.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by Luke_Wolf View Post
    Yeah... there's that, and there's this whole situation where the motherboard is bricked if coreboot doesn't work and you don't happen to have the right tools to reflash the EEPROM if things go wrong.
    Of course, that could always be fixed via something like Megabyte's Dual-BIOS where you have a jumper on the mobo, a primary BIOS in EEPROM and a recovery BIOS in ROM that can be used to un-brick the primary BIOS.

    Leave a comment:


  • Luke_Wolf
    replied
    Originally posted by duby229 View Post
    Linux itself can boot up just about any PC you try to put in on. If the same was true for coreboot it would be much more likely to have a wider userbase. It's sort of like a catch22.
    Yeah... there's that, and there's this whole situation where the motherboard is bricked if coreboot doesn't work and you don't happen to have the right tools to reflash the EEPROM if things go wrong.

    Leave a comment:


  • duby229
    replied
    Linux itself can boot up just about any PC you try to put in on. If the same was true for coreboot it would be much more likely to have a wider userbase. It's sort of like a catch22.

    Leave a comment:


  • Luke_Wolf
    replied
    On the one hand things like Coreboot are really interesting, on the other... any objection here is more out of principle than practical effect. Unless you specifically purchase devices that have coreboot support, most of us here are likely to never run it, and in cases that we do it's more likely to come from vendors who are themselves installing coreboot as the firmware. In which case this won't matter anyway. So I don't know how I feel about this.

    Leave a comment:


  • MartinN
    replied
    Originally posted by Calinou View Post
    You should by the way consider Libreboot as Coreboot contains proprietary blobs (just like Linux).
    If Coreboot contains blobs that protect the IP/lifeblood of a hardware manufacturer from getting knocked off by some Chinese company, then so be it. This is about installing a BIOS of your choice. Both can be had, security and choice - it's not an either/or proposition, as Matthew points out. Intel ought to make this right.

    Leave a comment:


  • MartinN
    replied
    Originally posted by phoronix View Post
    Phoronix: Thoughts On Intel Boot Guard Impairing Coreboot

    Last week we were first to relay the Coreboot discussion about how Intel Boot Guard in modern PCs is preventing alternative UEFI/BIOS from being used and others have since carried the story too. Matthew Garrett, a name well known to those following UEFI / Secure Boot Linux support, has blogged about his views on Boot Guard...

    http://www.phoronix.com/scan.php?pag...Boot-Guard-MJG
    Pretty sure Intel is aware of being called out on this, and Matthew's points make sense - this can be done via UEFI Secure boot. Has Intel responded to Matthew's comments on Boot Guard? They are known to listen to their customers. And they should particularly listen to this very important minority, because it is such minorities that create software and hardware and shape the worldview of the majority who only use it to their end. Piss off developers and hobbyists, and you've touched a raw nerve.... Let me quote what a wise man once said - "developers developers developers developers developers developers developers developers".

    Leave a comment:


  • Calinou
    replied
    Originally posted by opensource View Post
    Well said, Matthew. Intel, I want to be able to install coreboot.
    You should by the way consider Libreboot as Coreboot contains proprietary blobs (just like Linux).

    Leave a comment:


  • uid313
    replied
    Mathew always have insightful thoughts.

    A solution would be to have a pre-firmware firmware that checks the integrity of the firmware.
    If the firmware can be securely confirmed as authentic and official then it boots that firmware.
    If the firmware has been tampered with or is third-party then it shows a red screen where the user has to manually confirm he intends to boot the firmware upon every boot.

    This means the pre-boot firmware would have to initialize the video and USB for the the keyboard.
    Also a hacked/modified/tampered keyboard could auto-confirm the firmware on boot.

    Maybe it could be a physical jumper on the motherboard?
    Then on every boot up it shows a red text saying the system is booting third-party firmware.

    Maybe it could somehow use keys like UEFI, but I don't know. Since this would be loaded prior to UEFI.

    Leave a comment:

Working...
X