Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to defend against attacks on chips?

Blibbet blibbet at gmail.com
Mon Jun 17 11:28:44 PDT 2013


Good list: Yeeloong, Coreboot, Opencores, etc.

This book isn't bad for explaining some of the general problems:
http://www.amazon.com/Embedded-Systems-Security-Practical-Development/dp/0123868866

In addition to UEFI alternatives, I'd also argue that we need to fix 
UEFI, to handle the use case of citizens, not just NIST, MSFT, and APPL. 
We need to get OEMs to ship boxes which are signed by Linux OS orgs, not 
just MSFT and APPL.

Secure Boot is currently only targets Win8, until OEMs build systems 
which have firmware signed by a Linux vendor. The current options for 
UEFI and Linux have fragmented this community, Ubuntu, Redhat, SUSE all 
going different ways, and Linux Foundation providing a patch that makes 
Secure Boot useless as a security feature for Linux.

I wonder if UEFI's currernt architecture could be improved, so that it 
could enable >1 OS vendor to sign the firmware, unlike today, where it 
requires a single OS vendor to sign, as I understand. Could the crypto 
foo that enables measuring a Secure Boot also work if there was more 
than 1 OS vendor target option? Right now, with only a single OS vendor 
signing a firmware image, it works well towards restricting OS 
alternatives to the user. The complexity of an OEM getting fw images 
signed by RedHat, Canonical, Attachmate/Novell, etc would be prohibitive 
for them to provide any options by Windows.




More information about the liberationtech mailing list