
The Tricky World of Securing Firmware - transpute
https://blogs.intel.com/evangelists/2015/02/20/tricky-world-securing-firmware/
======
guylhem
Dear Bryan who may never read this,

As you clearly say, your job is to serve your clients, the manufacturers who
do not want their BIOSes to be replaced with something else like coreboot.

You say "Intel has to consider the needs of the system manufacturer along with
the end user", but the balance is obviously slanted in one direction. The
reason is simple: we end users are not your customers.

As pointed out before, the trickiest issues are with Intel ME and AMT, who can
not be removed except on the X200. Otherwise, the luckiest machines will
reboot every 30 minutes only. The others won't boot.

You say "Making firmware more open and more secure is an interesting balancing
act, and I hope we work towards getting it right". I'm sorry but you don't.
Having a backdoor that the physical owner of the machine can not remove is
neither secure nor open. If there was a jumper than could be used by the
knowledgeable end user to override all his, yes. There is no such things, only
barriers.

This is a nice PR attempt to deflect the heat towards Lenovo (for the
thinkpads), but sorry, that's vacuous.

There is a moral responsibility in a given design.

At the moment, this is at best the moral equivalent of making weapons without
a safety and saying it's not your fault if they can harm the end user, and
that the end user should direct the complains to whoever is selling these
defective guns. Sorry, but I disagree.

~~~
pgeorgi
Maybe write that as a comment on his blog? He's quite responsive.

------
pgeorgi
The really interesting bit IMHO is in the comments, where Brian quite bluntly
states that Intel merely provides the tools that system manufacturers (ie.
Lenovo and so on) want.

So while Intel could make a principled stand here (in favor of end-users),
it's ODMs/OEMs that have to work with primarily. CPUs directly bought by end-
users are probably a pretty minor part of their revenue, too.

[edit to add:] Of course, I'd still prefer them to get rid of Verified Boot,
and have OEMs decide between Measured Boot or no verification at all.

------
jkot
Ability to install alternative operating system (such as Linux) extends life
expectancy of hardware. That is important for ecology, lower carbon
emissions...

I can easily imagine EU to pass new law, which would require "signed
bootloader bypass" switch on all newly sold laptops and workstation. Great way
to milk Intel, MS, Apple and other manufactures for couple of billions euro.

~~~
Kenji
"Ability to install alternative operating system (such as Linux) extends life
expectancy of hardware."

Why should that be true? Source?

~~~
kabdib
You can use a lighter weight OS than a recent version of Windows, which will
presumably require fewer resources. Or if some of the hardware goes bad (say
the screen fails) but you don't care because you're just doing SSH, you can
still use it.

I have a couple of decade-old laptops that are perfectly happy to run Linux,
and Windows 7 won't even install on them because they don't have enough
memory.

It's also conceivable that a different OS would have a lower thermal profile,
resulting in longer hardware lifetime on average.

------
vfclists
It is the usual "since those who want more control of their systems are a
small minority among a small tech-savvy minority, we really can't be arsed"
excuse.

Firefox has been doing it, Chrome has been doing it, damn near everyone is
doing it.

~~~
dmm
It's frustrating because the same argument could be made about any freedom.
It's always a small minority that needs it.

How many individuals really need the first amendment? The Saudi kids in my
undergrad PoliSci classes loved to point this out. "Who needs freedom? I'll
take my mercedes."

------
microcolonel
I like the Acer Chromebook C720(P)'s solution to this.

By default, the firmware is locked, but there's a (warranty voiding if you're
outside of the EU, which I don't mind) screw on the bottom of the machine,
which allows you to flash your own firmware.

This solves one of the problems(upgrading firmware when vendor support runs
out). One of the things that would be nice to explore is creating "flashing
keys" on first boot. Maybe put them on a password-protected USB key or cloud
share that can be held on to until you want to upgrade or modify firmware.

Another solution might be the ability to take out that screw, load your own
key, then reinsert the screw(tripping some sort of hardware fuse to lock it to
that key, maybe).

I don't like the tone of this article, it downplays the importance of
hobbyists, and presents a false dichotomy: firmware which can't be modified by
the owner of the device, versus firmware that can be modified by anyone,
including remote attackers.

We can have our cake and eat it too, we just need to stop giving up so early.

~~~
joe_the_user
This only secures the firmware in the bios, correct?

Is it not the case that these days, harddisks and who-knows-what-other-
subsystem have their own firmware which can be upgraded and so infected,
separately, right? Infected harddisk firmware being mode of attack described
for the Equations Group as far as I can tell.

~~~
pgeorgi
And even though the article refers to Equation, Boot Guard doesn't protect
from that either.

------
joe_the_user
I'm not a low-level expert and perhaps people can clear this up but this seems
to only address the overall system bios. The "genius" of the Equations Group
seems to be in infecting not this bios but hard disk's own, private flash-
firmware [1]. If boot-guard affected this, it would be great. I mean, it seems
like a machine with a compromised disk could be compromised even if the boot-
image on it was pristine (or just "looked" pristine when polled at a certain
point).

[1] [http://www.networkworld.com/article/2885814/security0/has-
eq...](http://www.networkworld.com/article/2885814/security0/has-equation-
group-hacked-your-hard-drives-you-won-t-be-able-to-tell.html)

------
ericfontaine
I'm not a fan of corporations "securing" my firmware by preventing me from
installing my own custom version. Currenty, I use libreboot on my X60s and
Macbook2,1 with GRUB in the firmware and configured to only boot kernels
signed with my own personal key.

