
NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative - ItsTotallyOn
https://www.tomshardware.com/news/nsa-contributes-low-level-stm-coreboot,39704.html
======
neilv
I applaud moving away from UEFI, to something simpler and more transparent,
and something not hostile from the start to open source.

I like how relatively simple my Coreboot systems are. The sooner that Coreboot
can minimally initialize hardware and invoke an open source bootloader or
Linux kernel payload directly, the better. (Bonus, if the kernel doesn't need
legacy PC BIOS services.)

Regarding concerns raised in the article, I'd be more suspicious of closed
microcode and firmware blob parts, than of open source parts. Many
knowledgeable eyes on the open parts can help. Though, of course, open parts
could, in theory, be crafted to provide affordances for naughtiness involving
closed parts. I have mixed feelings about recent initiatives to push closed
updates more widely and reliably, and look forward to more-open hardware.

~~~
JohnStrangeII
I still think it's problematic, since it is in the vital interest of the NSA,
and one of its core missions, to be able to penetrate endpoint security at
that level. If they contribute to Coreboot, then that means either that they
want to compromise the project or that their "tailored access" group already
has enough other ways of comfortably breaking the security of any PC at a
level that is low enough (to evade all user-level software, anti-virus
vendors, etc.). Both possibilities are bad for international users, even if
the second one is obviously more preferable.

It makes no sense for the NSA to assist making PCs secure for non-military use
and for use by non-US citizens against their own attacks, because it
contradicts their mission statements. The only other (not totally implausible)
explanation is that different departments within the NSA are so disconnected
from each other that they have started to work against each other.

~~~
chongli
_vital interest of the NSA, and one of its core missions, to be able to
penetrate endpoint security_

It's also a core mission of the NSA to protect US networks from attack. If
they're inserting backdoors in products used by US businesses, they're
directly undermining their core mission.

~~~
whatshisface
What about PRISM? Protecting US networks is clearly not a part of their
mission.

~~~
GcVmvNhBsU
Do you even understand what PRISM was?

~~~
GcVmvNhBsU
More info to better conform to the guidelines.

OP, your insinuation is that PRISM weakened US networks, but that is a
misunderstanding of what the program actually did. Wikipedia:

>The actual collection process is done by the Data Intercept Technology Unit
(DITU) of the FBI, which on behalf of the NSA sends the selectors to the US
Internet service providers, which were previously served with a Section 702
Directive. Under this directive, the provider is legally obliged to hand over
(to DITU) all communications to or from the selectors provided by the
government.[38] DITU then sends these communications to NSA, where they are
stored in various databases, depending on their type.

I personally think it's important to understand what types of surveillance our
government is doing and not listen to FUD on what people think they are doing.
In this case, there's no weakening of a network. The FBI provides a selector
(email) to the service provider, and the provider uses their own systems to
retrieve the data and send it back. The "direct line" that many people
reference is to the database of selectors, so that FBI can push it directly to
the provider.

------
achingtooth
People in this thread are talking about how they wouldn't trust the NSA at
all. I went to a presentation and talked with people from the NSA before and
at face value they seemed like a silicon valley tech company. In their
presentation they talked about how they were interested in open source,
diversity, big data, artificial intelligence, and all the other buzzwords.
They all seemed like they genuinely thought what they were doing was helping
people. I know what they've done (and continue to do) but it's strange being
able to attach a face to an action. You're more likely to believe them and buy
what they are saying. I suppose the best thing to do is check over their code
and accept it if everything looks good. They probably are being genuine.

As a an extra piece of information that I found interesting, they were pushing
the diversity stuff hard. Everyone that gave the presentation were women (and
they weren't low level people), they had an African-American person that
worked there talk about how inclusive it was, they talked about how they're
super accepting of LGBTQ+ people, and on and on. The tech stuff was for like 5
minutes, then the rest was on diversity (at a tech presentation, looking for
recruits). I'm not exaggerating.

~~~
jplayer01
So all of this makes what they actually do as a living okay? You know, dragnet
surveillance, physically wiretapping Google's internal network, backdooring
encryption, etc.? Since when are we trusting the face value of anything
somebody at the NSA says? Where's the skepticism gone from the Snowden days?
Like, these people aren't our friends. Any code contributions from
organisations like this, which do not have our best interests at heart and at
worst actively attempt to subvert efforts at hardening encryption and other
security efforts, need to be combed over with a fine-tooth comb.

Hell, as a European, the NSA is very clearly the enemy. Their goal is to
protect US citizens, maybe, with very unconstitutional methods. They have
little to no interest in the privacy or legal rights of people outside of the
US, and yet have an unimaginable global reach.

~~~
snazz
The fact that they’re not committing their changes under a pseudonym or front
company suggests that they’re okay with the world knowing about what they’re
up to. Same with their reverse-engineering toolkit.

What Snowden publicized was, for the most part, completely hidden from the
view of society. The NSA wasn’t coming to tech conferences announcing their
new surveillance tools.

Don’t think that the new parts of Coreboot won’t attract scrutiny from
security-conscious companies and individuals.

~~~
ionised
> The fact that they’re not committing their changes under a pseudonym or
> front company suggests that they’re okay with the world knowing about what
> they’re up to.

They are not committing their most secretive and effective tools on GitHub for
Christ's sake.

------
jchw
Oh, cool. I really enjoy coreboot in principle, but I wish more systems
supported it. None of my daily drivers are running Coreboot, as of today. I’m
pretty inept when it comes to low level stuff, but I’ve been playing around
trying to port Coreboot to an unsupported laptop board. It’s probably futile,
but it was pretty exciting seeing some serial output for the first time.

From lurking around, one of the more surprising things I’ve found is that DDR
RAM initialization seems to be the single most difficult aspect of the whole
boot process, or at least on typical PC platforms. Not to say everything else
isn’t also difficult; the debugging tools available to the general public for
firmware are fairy rudimentary.

~~~
incompatible
There was a story a few years ago about "Intel Boot Guard" making it
impossible to install things like Coreboot. I don't know if that was ever
resolved.

~~~
ENOTTY
That's not strictly true. In my view, Boot Guard is sort of like a locked
bootloader. In Boot Guard, the CPU verifies a signature on system firmware
before loading it. The signature is verified using a public key from the
platform manufacturer. So under the Boot Guard regime, the platform
manufacturer essentially gets a vote in whether your platform can run modified
firmware level code. Or you find a jailbreak.

~~~
incompatible
OK, in that case I'd be very interested to know which motherboard
manufacturers are friendly to installation of replacement firmware and which
not.

coreboot.org links to libreboot.org, but the list of supported hardware is
pretty short:
[https://libreboot.org/docs/hardware/](https://libreboot.org/docs/hardware/)

~~~
ENOTTY
I think purism might be amenable. Worth double checking with them.

~~~
incompatible
They don't even use Intel CPUs, it seems. Boutique vendors would be out of my
price range, and the few boards supported by Libreboot seem to be circa 2009
models, presumably preceding Boot Guard. I doubt that it's something I'll be
using any time soon.

------
vinay_ys
It is the job of journalists to ask these controversial questions about NSA's
role as a saboteur vs contributing in good faith to really improve the
security of systems. So, nothing wrong with that. Healthy skepticism and all
that.

In my experience, when closed source research teams start to contribute to
well-run open-source projects there can be valuable contributions.

But it highly depends on having independent and technically competent
maintainers with strong personalities who are not easily manipulated into
accepting patches that they don't understand or violate their technical
principles.

------
mort96
I hope the Coreboot people are extremely careful about this. Accepting code
from a giant agency with the goal of making everyone less safe is very
dangerous.

~~~
anfilt
It could also be the NSA does not trust proprietary firmware for similar
reasons people are working on open source firmware to begin with.

The problem is NSA really only knows their motives.

The other problem with the NSA is that they have two goals. One is to protect
the US and US entities security and the other is subvert foreign entities. If
they start publicy recommending coreboot for what they deem senstive
installations then their intentions are obviously not malicous. Problem is the
NSA may never publicy specify that its for senstive installtions and may only
ever be an internal guideline.

~~~
pytester
Their MO seems to be to improve the overall IT security of the nation such
that it's less vulnerable to less sophisticated actors but still vulnerable to
them.

This is likely tacit recognition that UEFI is such a dumpster fire that it's
not only vulnerable to them.

~~~
nickpsecurity
"Their MO seems to be to improve the overall IT security of the nation such
that it's less vulnerable to less sophisticated actors but still vulnerable to
them."

That's exactly what they do. How they rate and evaluate their high-security
products (Type 1 or EAL6+) vs majority of market (EAL4 or less) under Common
Criteria corroborates your claim. EAL4, which Linux and others top out at,
says it's only trusted to stop "casual or inadvertant attempts to breach
security." Anything prolonged or well-funded will breach it.

------
Stay_frostJebel
I hate it when news outlets assume readers don't know what they are talking
about and use analogies like "UEFI BIOS Alternative" without mentioning the
actual thing on the title ("Coreboot").

~~~
floatboth
Especially when it's flat out _wrong_. Coreboot is low level init code that
launches a payload. Which can be TianoCore EDK2 or SeaBIOS.

------
unnouinceput
I wouldn't trust NSA with a "hello world" program. The way they might phrase
it could trigger hidden feature in linker which in turn could trigger hidden
instructions in CPU making the 3 lines program a backdoor into your system.

~~~
steve19
You better avoid the Linux kernel then as the NSA have contributed a lot more
than 3 lines.

------
NelsonMinar
Could you imagine the shitstorm if Coreboot was accepting code from a Chinese
intelligence agency? I'm American myself and am glad NSA is on my side. But
they've proven themselves time and time again to be completely untrustworthy
when it comes to securing our computer systems.

~~~
roboys
"glad NSA is on my side", you are 100% sure about this?

~~~
ggg2
maybe they also have nothing to hide /s

------
arianvanp
I applaud this and I think the coreboot team is good enough to be critical and
diligent about patches they will receive.

------
oil25
This is great news - not only will competent NSA hackers improve Coreboot, but
their participation will usher in even more scrutiny and review of the code.
This is a win for everyone.

------
peter_d_sherman
In reading the discussion here, I'd like to bring up an error that the News
Media typically makes when discussing large groups of people... That is, they
implicitly or explicitly judge large groups of people -- most notably other
countries / other nationalities -- by the actions of the few.

Applied to a group, in this case the NSA, I don't believe that they should be
judged by the actions of a few of their members... I am sure there are both
socially positive and socially negative actors in the group (and everybody in
between), thus it is disingenuous to judge the group in either direction...

Me, I'm completely neutral about the NSA, with one exception, and that is that
I feel that companies should _NEVER_ be exposed to secret NSL's... either make
those communications a part of the public record for congressional and other
legal/legislative oversight, or don't send them in the first place!

But that's not the _people_ of the NSA, whom I hold harmless... That's part of
the _mission_ of the NSA, and well, mere mortal citizens are probably not
going to change that anytime soon...

If anyone really wants a secure computer, build yourself a VAX-11/780 out of
transistors, and write the operating system too... (If I ever did, I'd put on
a few of my super-secret cooking recipes ("Mmm, however did you get those BBQ
ribs to taste so good? It's a secret!") along with a note "If you got this
message, you are definitely elite, and please don't delete my BBQ sauce
recipe!").

Try and get that with no RF link in the electronics... I double dare you...<g>

In the meantime, back up your files, and audit your communications regularly
for anything you wouldn't want on the news 24/7... <g>

But the NSA? Not evil...

~~~
crankylinuxuser
>Try and get that with no RF link in the electronics... I double dare
you...<g>

Build my GPL3'd Signals Intelligence device, and you can _audit_ it :)

[https://www.rtl-sdr.com/the-radioinstigator-a-150-signals-
in...](https://www.rtl-sdr.com/the-radioinstigator-a-150-signals-intelligence-
platform-consisting-of-a-raspberry-pi-rpitx-2-4-ghz-crazyradio-and-an-rtl-
sdr/)

~~~
peter_d_sherman
Didn't know that that existed... Looks really nice!!!

(Although, technically, to be really secure, you'd have to audit the entire RF
spectrum AND lower frequency wavelengths, i.e., ultrasonic AND have to figure
out what to do with signals that are intermittent and/or frequency hop!!! Then
of course you have the power supply lines and the ability to send super-low
frequency signals via all of that... In other words, you'd have to audit all
wave frequencies from all connected devices, simultaneously, and keep in mind
such possibilities as frequency hopping, and intermittent periods of
silence... like if someone really wanted to be stealthy, they could send
something like 1 byte per hour... and that hour is randomized, so it's
actually a random interval between 50 and 70 minutes... and/or hide that in
random radio noise... the possibilities are endless... <g> (This is why I
leave security to the security people and just assume that no information is
private anymore...))

But, all of that being said, your link looks really nice, and I didn't know
that existed before! It looks cool and worthy of experimentation!

------
transpute
A public STM implementation has long been needed.

In 2009, ITL/Qubes wrote about DRTM (Intel TXT, AMD SKINIT) and STM,
[https://invisiblethingslab.com/resources/bh09dc/Attacking%20...](https://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf)
& [https://www.blackhat.com/presentations/bh-
dc-09/Wojtczuk_Rut...](https://www.blackhat.com/presentations/bh-
dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-
slides.pdf)

 _> The late launch ... promises to effectively provide all the benefits of a
computer restart without actually restarting it. It is hard to overemphasize
the potential impact that a technology such as TXT could have on computer
security ... We describe a practical attack that is capable of bypassing the
TXT's trusted boot process ... As part of the attack we also discuss practical
attacks on SMM memory ... Intel's remedy to malicious SMM handler is called
STM, which stands for SMM Transfer Monitor. The purpose of STM is to sandbox
the existing SMM handler by virtualizing it using VT-x and VT-d technologies.
STM should be thought of as of a peer hypervisor to the VMM that is being
loaded using late launch. STM is supposed to be measured during the late
launch process ... no STM, as of today, is unfortunately available on the
market, which yields our attack applicable to all current systems. One aim of
our research ... is to stimulate developers to create an STM._

The May 2019 version of Windows 10 added support ("SystemGuard") for DRTM-
enabled hardware that could benefit from an STM,
[https://www.microsoft.com/security/blog/2018/04/19/introduci...](https://www.microsoft.com/security/blog/2018/04/19/introducing-
windows-defender-system-guard-runtime-attestation/) &
[https://www.platformsecuritysummit.com/2018/references/#syst...](https://www.platformsecuritysummit.com/2018/references/#systemguard)

In 2018, NSA gave a presentation on their STM work,
[https://www.platformsecuritysummit.com/2018/speaker/myers/](https://www.platformsecuritysummit.com/2018/speaker/myers/)

 _> We describe our work to demonstrate an enhanced SMI transfer monitor (STM)
to provide protected execution services on the x86 platform ... Our STM
enhancements create a protected execution capability by extending the STM to
support additional VMs (PE/VM)_

From a coreboot developer,
[https://twitter.com/_zaolin_/status/1055474061428572162?s=21](https://twitter.com/_zaolin_/status/1055474061428572162?s=21)

 _> We are currently implementing @intel #TXT and #SRTM measured boot support
as part of Google's verified boot which can be used on all supported platforms
in @coreboot_org_

------
stakhanov
When I read the headline, my brain first parsed it as a scandal breaking, then
I read the article and found that it was not that. I just hope the open source
community will be very serious about auditing that code and not accept any
blobs coming from people affiliated with the NSA.

~~~
unnouinceput
Your brain was correct...something like 5 years before correct. I bet in 5
years this will be a scandal breaking because whatever NSA code gets adopted,
it will be unveiled later as a backdoor.

~~~
kryptiskt
If the NSA wanted to add a backdoor, they would likely not do it in a patch
openly contributed by them.

~~~
stakhanov
It's probably more subtle than that: coreboot is a hodgepodge of open source
aspects and oblique blobs that contain god knows what. That's why libreboot
exists (shares a lot of coreboot code but doesn't allow blobs). If the NSA
wants to do some dirt, then the dirt will probably go into the blobs and/or
happen as a result of how the open source code interacts with the blobs in
ways that are not obvious to anyone who doesn't know what's in the blobs. So I
can see how getting some influence in the coreboot community would be of
strategic value to them to implement schemes to weaken IT security for whoever
they want to weaken it for.

------
zeristor
I was setting up Windows servers 15 years ago, the company was chuffed to be
using special secure NSA tweaked versions of the OS, which was nice of them...

------
ackbar03
Terrific! About time we had some people with proper technical expertise
contributing to our everyday systems. #Taxpayer dollars put to use

------
throwawayf987df
If Govt's around the world want to really secure their IT systems, then just
remove the laws that get hackers into trouble for hacking Govt systems. Still
keep the law for non-Govt systems or for changing anything on a govt system
and then the Govt can sit back and enjoy free pen testing.

------
losttheplot
Keep proven bad actors and miscreants, be it government or large tech, out of
establishing standards.

------
stjohnswarts
What could possibly go wrong.

------
macpete
timeo danaos et dona ferentes

------
DigitalTerminal
LOL! Trusting NSA for UEFI code is like.... I hope cryptographers and hackers
better than what NSA has go through that code with a fine toothed comb.

~~~
ShinTakuya
The title is pretty shitty but you should at least click through before making
a comment.

This is a contribution to Coreboot, which is an alternative to UEFI/BIOS.

As much as I dislike US government agencies in general, I think this time they
have good motive to provide good code. Undermining this code would also
undermine the systems of other government agencies.

In this case, I trust the NSA more than random contributors on the internet
that have less known motives and may in many cases be agents of foreign spy
agencies.

~~~
cannedslime
For non-americans, NSA is a "foreign spy agency"...

~~~
p_l
And "illegal combatant"

