
Ask HN: Integrity of BIOS update? - rxlim
I want to update the BIOS on my Gigabyte motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it&#x27;s integrity as neither signed or non-signed checksums are available.<p>I&#x27;m extremely uncomfortable with just installing the update without being able to verify it&#x27;s integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I&#x27;m downloading.<p>What can I do?
======
peter_d_sherman
In theory, you could probably call Gigabyte and ask them to mail you the BIOS
update on disk or CD or something (you know, the old fashioned way), and/or
you might be able to tell them that you feel insecure with plain http, and
maybe they'd change it for you...

But what you're saying points to a larger problem. How do you know that
anything you download from any vendor (and that includes such hallowed things
in the industry as Apple/Ubuntu/Red Hat/Microsoft/Google updates), is really
secure?

The only way to get true security for anything is to build your own processor,
build your own PC, write your own operating system, build your own network
card, and then _hope_ that there aren't any bugs...

Historically, things that were once thought to be secure -- have been proven
over and over again not to be. Case in point: Windows NT -- it had labels all
over the box, to the effect, "It's secure, it's secure". Well, fast forward 17
years or so. Numerous incidents and issues have historically proven those
assertions to be in error... don't take my word for it... look at the
history... Google "Windows NT security vulnerabilities" and you can also add
the word "historical" in there, if you want.

That, and I'm pretty sure as a novice computer historian, that history repeats
itself, although chances are that your BIOS might be perfectly safe even if
you do download it with http (although, make no mistake about it, you are
taking a chance, so "chance-taker beware", as the old saying goes...)

Computer security is a tough business, because on the one hand there's too
little security, and on the other is outright paranoia... what's the correct
balance between those two extremes? I sure as heck don't know...

Anyway... good luck with your BIOS update...

~~~
rxlim
Good points. I must admit that I have not contacted Gigabyte as my experience
with such large companies tells me that I will only get elevated blood
pressure and absolutely no usable answer.

My main concern is not if the BIOS is secure, I'm very sure it's full of
security vulnerabilities like most other software I use, but I have decided to
trust Gigabyte like I have decided to trust the developers who build the Linux
distro I'm using in that they are not malicious and trying to steal my
information. The packages in my Linux distro are signed, so I can verify that
they have not been modified since they left the developers machine, but I
can't do the same thing with the BIOS update and that's what makes me
uncomfortable.

------
ZephyrP
I explored this issue many years ago and, at least at the time, it was my
understanding that for many motherboards it's simply not possible to introduce
unsigned code through software alone.

~~~
totony
I second this, usually bios updates are signed

you could always check if there is a signature with binwalk or smtg if it
makes you feel safer

~~~
rxlim
I did run an older version of binwalk on the firmware image, but it was unable
to unpack anything and only printed false positives. I have now tried the
newest version and it's able to unpack everything and display a lot of
information. The PE modules in UEFI seems to be signed as these signatures are
found many times:

    
    
      Certificate in DER format (x509 v3)
      SHA256 hash constants, little endian
    

Very interesting to dig around in the firmware, I even found the boot splash
image. Definitely a time sink, but fun.

------
whyagaindavid
Download the file in Starbucks + 5 other locations. Check sha1sum. Though not
useful in this situation, but better buy reputed server mobo.

